Author Archives: privacynewshighlights

15-21 February 2016

Biometrics

US – The American Government Plans to Scan Your Eyes at Border Crossings

The US government is using eye scans and facial recognition technology for the first time to verify the identities of foreigners leaving the country on foot — a trial move aimed at closing a long-standing security gap, officials announced. Before now, foreigners who left the country were rarely checked by U.S. authorities as they walked into Mexico or Canada through ports of entry. The checkout system that launched Feb. 11 at a busy San Diego border crossing with Mexico aims to ensure those who enter the country leave when their visas expire and identify those who violate that. Up to half of people in the U.S. illegally are believed to have overstayed their visas. Authorities are using the trial runs to determine which technology is the fastest, most accurate and least intrusive in screening people coming and going at all land crossings along the 3145-kilometre border with Mexico. Final results are expected this summer, with the goal of expanding the checks to all land, air and sea ports. Federal officials say they will not share or retain the data collected in the trial runs, but it is not clear how the information will be used if the program is adopted permanently. [Source]

Canada

CA – OIPC SK Unable to Determine if Employee Access to Individual’s Personal Information Was for Legitimate Purposes

The Saskatchewan IPC investigated a complaint alleging improper disclosure of personal information by an employee of Saskatchewan Government Insurance. The employee conducted a specific license plate search on a vehicle belonging to the individual; the individual argues that she has a contentious relationship with the employee, however the search was a typical part of the employee’s duties. The government agency must evaluate solutions to determine whether employee access is for legitimate business purposes. [Investigation Report 189-2015 – Saskatchewan Government Insurance]

CA – OIPC AB Upholds Educational Institution’s Disclosure of Student’s PI in the Course of a Conflict Resolution Process

This OIPC AB order investigated the alleged unlawful collection and disclosure of a student’s personal information by Bow Valley College pursuant to Alberta’s Freedom of Information and Protection of Privacy Act. An academic official reasonably communicated PI about one student in emails to 2 supervisors, to ensure that the students did not have contact with one another and to decide if further disciplinary action might be necessary; the student’s PI was secure because email messages remain only within the internal computer network (monitored for security threats, viruses and unauthorized access) and employees’ email accounts are password protected. [Order F2016-01 – Bow Valley College]

CA – Airlines Should Be Able to Exchange Info on Unruly Passengers: Air Canada

Air carriers should be allowed to share information about unruly passengers to help keep the skies safer, Canada’s largest airline says. A carrier can ban people with a history of disruptive behaviour from taking further flights with that airline, Air Canada notes in a submission to the federal government. But legislation does not permit airlines to exchange information about passengers, even when they believe them to be a safety risk to others. In the submission to a federal review of the Canada Transportation Act, Air Canada says safety “should always be first and foremost.” A report flowing from the review — likely to include some recommendations about air safety — is expected to be made public in coming weeks. The federal privacy commissioner’s office said it was unaware of Air Canada’s sharing proposal, had not studied the issue and could provide no comment at this time. [The Canadian Press]

E-Government

WW – New Tool from Nymity Aims to Simplify Privacy Management

Nymity announced its newest privacy management tool, the Nymity Planner. The “activity based” Nymity Planner “helps privacy offices operationalize compliance, document evidence and resources, delegate accountability, and ‘plan’ privacy management throughout the organization,” the report states. It also includes a GDPR add-on, so companies can consider GDPR compliance as they work to increase privacy protections in their organization. Nymity also has plans to include a Privacy Shield add-on. “The solution will prove to be highly valuable for those privacy officers who are looking to embed, manage, and report on structured privacy management across their organization,” said Nymity’s Constantine Karbaliotis, [GlobeNewswire]

E-Mail

CA – Update on CRTC CASL Compliance and Enforcement

On February 10, 2016, Lynne Perrault and Dana-Lynn Wood of the CRTC provided the latest in what is becoming a series of CASL briefings, as part of an “on-going dialogue” with industry. The CRTC now has a year and a half of enforcement experience under its belt for the Commercial Electronic Messages (CEMs) provisions of CASL, so this presentation focused on patterns and issues that have emerged in that period, and some guidance in response to those issues, including complaint statistics, priorities, and enforcement and other compliance issues. [Canadian Tech Law Blog] See also: [If you hate telemarketers, you’ll love this robot designed to waste their time]

Electronic Records

US – ONC: Patient Comfort Levels With EHRs, Data-Sharing On the Rise

A nationwide survey from Office of the National Coordinator for Health IT conducted between 2012 and 2014 indicates patients are growing more comfortable with electronic medical records and support data-sharing, though a summary from the agency notes that the survey took place before several major healthcare data breaches in 2015. Preserving patient trust is an essential part of establishing an interoperable health IT infrastructure. A study from the University of Wisconsin-Milwaukee and Dartmouth College based on the 2012 Health Information National Trends Survey found that 13% of respondents reported having withheld information from their provider because of privacy and security concerns. Privacy concerns can “crash” big data initiatives before they become useful, while the key to success lies in finding the right balance, experts said at a Princeton University event in April 2014. ONC data brief [FierceHealthIT]

Encryption

US – Apple Fights Order to Unlock San Bernardino Gunman’s iPhone

A debate pitting the government against tech companies has now come to a showdown after Apple CEO Tim Cook announced the company will not comply with a federal court order that it help the FBI unlock the iPhone of one of the San Bernardino shooters. In a win for the government, Magistrate Judge Sheri Pym ordered Apple to provide technical assistance to disable the phone’s password-wipe function — after 10 incorrect password attempts, the phone erases its data — so that authorities could “brute force” the phone’s password. Hours later, Cook announced the company would fight the order. In a message to Apple customers, the company wrote, “This moment calls for public discussion, and we want our customers and people around the country to understand what is at stake.” [The New York Times] See also: [Can the FBI Force Apple to Write Software to Weaken Its Software? ] [Why Apple Is Right to Challenge an Order to Help the F.B.I.] [Apple’s Line in the Sand Was Over a Year in the Making] [Who does Apple think it is? ] [Apple Said to Get More Time to Fight Order to Unlock IPhone ] [Why you should side with Apple, not the FBI, in the San Bernardino iPhone case ] [Here’s What The FBI Actually Asked Apple To Do It’s more complicated than it seems.] [No, Apple Has Not Unlocked 70 iPhones For Law Enforcement ] [Apple vs. The FBI: Questions Not Asked ] [Apple vs. the FBI: Facebook, Twitter, Google, John McAfee and more are taking sides ] [Apple backdoor court order being watched in Canada] [Read Apple’s unprecedented letter to customers about security] [Tech Reactions on Apple Highlight Issues with Government Requests] and finally: [In the Matter of the Search of an Apple iPhone Seized During the Execution of a Search Warrant on a Black Lexus IS300, California License Plate 35KGD203 – Order Compelling Apple Inc. to Assist Agents in Search – United States District Court For The Central District Of California

EU Developments

EU – Art WP29 Issues Surveillance Benchmarks

In its statement in response to the announcement of the new EU-U.S. Privacy Shield, the Article 29 WP enunciated “four essential guarantees,” derived from “jurisprudence,” that it is using to assess the protections provided to ensure intelligence surveillance respects fundamental rights. These are:

  1. Processing should be based on clear, precise and accessible rules: This means that anyone who is reasonably informed should be able to foresee what might happen with their data where it is transferred;
  2. Necessity and proportionality with regard to the legitimate objectives pursued need to be demonstrated: A balance needs to be found between the objective for which the data is collected and accessed (generally national security) and the rights of the individual;
  3. An independent oversight mechanism should exist, that is both effective and impartial: This can either be a judge or another independent body, as long as it has sufficient ability to carry out the necessary checks;
  4. Effective remedies need to be available to the individual: Anyone should have the right to defend her/his rights before an independent body.

These four standards are almost identical to the essential safeguards under the EU legal order used in the Sidley Austin report, “Essentially Equivalent: A comparison of the legal orders for privacy and data protection the European Union and United States,” as a basis to compare surveillance laws in the United States and eight illustrative EU member states. [IAPP] [Article 29 WP – Statement on the 2016 Action Plan for the Implementation of the GDPR Work Programme | Action Plan]

UK – ICO Launches Tool to Help SMEs Assess Compliance

The UK ICO has launched a self-assessment tool to help small and medium organisations assess compliance with the Data Protection Act. The tool outlines obligations for registration of personal data processing, identification of individuals responsible for development, implementation and monitoring of data protection and information security policies, training of staff and disposal of personal data held; security measures should be established for effective malware defences, logging and monitoring of user and system activity, and detection of unauthorised access or anomalous use. [ICO UK – ICO Launches New Data Protection Self Assessment Tool for SMEs]

EU – Other News:

Facts & Stats

US – California Attorney General Releases Data Breach Report

Over the course of the last four years, the personal records of more than 49 million Californians were put at risk, according to a new data breach report from California Attorney General Kamala Harris. Between 2012 and 2015 there were 657 reported breaches, and three out of five state residents were victims of a data breach in just 2015 alone. The report includes information on the most common types of data breached, explains what types of breaches different industry sectors were most susceptible to, and provides recommendations to reduce the frequency and impact of future breaches. The report articulates basic steps that businesses and organizations must take to comply with the law, reduce data breaches, and better protect the public and our national security. The report also includes recommendations for businesses to better protect personal data and maintain “reasonable security.” [Source] [California Data Breach Report February 2016] [California Reports 49 Million Records Breached in Four Years]

Filtering

CA – Google Appeal of Worldwide Injunction Headed to Supreme Court

The Supreme Court of Canada has agreed to hear Google’s appeal of a worldwide injunction which critics warn could turn B.C. into a destination for ‘censorship tourism’. The tech giant is challenging a B.C. Supreme Court ruling made in relation to a Burnaby-based company’s bid to stop another firm from profiting from the sales of stolen technology. Google was a third party in the litigation, dragged into the case because Datalink relies on web search engines to attract potential customers. Google voluntarily removed 345 links from search results in Canada. But Equustek accused Datalink of playing ‘Whack-A-Mole’ by going international with its listings. Hence the worldwide injunction in 2014 from B.C. Supreme Court Justice Lauri Ann Fenlon. “The courts must adapt to the reality of e-commerce with its potential for abuse by those who would take the property of others and sell it through the borderless electronic web of the internet,” Fenlon wrote. “That (injunction) is necessary … to ensure that the defendants cannot continue to flout the court’s orders.” The ruling, which was upheld by the B.C. Court of Appeal, made headlines around the world. It’s one of a growing body of legal decisions struggling to balance rights and responsibilities of technology companies operating across global boundaries.

In agreeing to hear the case, Canada’s highest court defined those questions as follows:

  • “Under what circumstances may a court order a search engine to block search results, having regard to the interest in access to information and freedom of expression, and what limits (either geographic or temporal) must be imposed on those orders?”
  • “Do Canadian courts have the authority to block search results outside of Canada’s borders?”
  • “Under what circumstances, if any, is a litigant entitled to an interlocutory injunction against a non-party that is not alleged to have done anything wrong? [CBC] [Canadian courts wade into free-speech battle with worldwide injunction against Google]

FOI

NZ – Government Made 12,000 Privacy Requests to Just 10 Companies

The New Zealand privacy commissioner revealed that government agencies, including Inland Revenue, Police and Ministry of Social Development made nearly 12,000 requests for citizens’ personal information to only 10 companies from August to October 2015. This information was revealed as part of an Office of the Privacy Commissioner trial transparency program. The OPC further discovered that more than 1,000 information requests were incorrectly labelled as being made under the Privacy Act, which provides no mechanism for government agencies to make requests for personal information. The 10 companies voluntarily complied with the information requests approximately 96 percent of the time, which has left some lawyers and privacy advocates concerned that agencies were misleading companies by using clauses of the Privacy Act to compel sharing of personal information. [NZ Herald]

CA – IPC ON Orders Oshawa to Issue Decision Relating to Email by City Councillor

The Information and Privacy Commissioner in Ontario reviewed a decision by the City of Oshawa to deny access to records requested pursuant to the Municipal Freedom of Information and Protection of Privacy Act. Although the councillor is not an employee of the public body (elected members of a municipal council or not agents or employees of municipal corporations), the record is under the control of the public body; the contents of the record relate to a departmental matter and the public body could reasonably expect to obtain a copy of the record upon request. [IPC ON – Order Mo-3281 – The Corporation of the City of Oshawa]

Health / Medical

US – HHS Releases New HIPAA and Mobile Sharing Guidance

The Department of Health and Human Services’ Office for Civil Rights debuted new scenario-based guidance to help health care providers better understand how to protect patient data and comply with HIPAA on mobile devices. Privacy advocates are pleased. “This guidance is important since some developers still aren’t clear about whether they fall under HIPAA or not — that is, whether or not they are HIPAA-defined business associates,” said The Marblehead Group. The guidance is next in the agency’s “cyber-awareness initiative,” with a manual on HIPAA and cloud computing forthcoming, the report adds. [GovInfoSecurity]

CA – Debate Continues on Ontario Health Privacy Breach Law

A bill proposing to double the fines for violations of Ontario’s Personal Health Information Protection Act was a subject of debate at Queen’s Park in Toronto. Bill 119, the Health Information Protection Act, was tabled Sept. 16 by Liberal Health Minister Eric Hoskins. Among other things, Bill 119, if passed into law, would double the maximum fines for offences, under PHIPA, from $50,000 to $100,000 for individuals and from $250,000 to $500,000 for organizations,” said Indira Naidoo-Harris Liberal MPP for Halton and parliamentary assistant to Hoskins, at Queen’s Park Tuesday. Other changes proposed in Bill 119 “include making it mandatory to report privacy breaches as defined in regulation.” [Canadian Underwriter]

CA – Sask. Residents Can View Their Personal Health Care Information Online

500 Saskatchewan residents were invited to participate in a new pilot program offered by eHealth. The pilot allows residents to view their personal health information online through a secure website. So far, 232 residents have created accounts. The Citizen Health Information Portal (CHIP) pilot will include up to 1,000 participants from across the province. Throughout the six-month trial period, participants can view their personal lab results, immunization history, 25 months of prescription history and hospital visits from anywhere in the world. Participants can add their personal history to the record, including information about allergies and surgeries and medication reminders. Parents can access their children’s health-care information, and travellers can print their health information and take it with them on holidays. [Source] [Saskatchewan patient access to online health records requires big focus on security] [Debate continues on Ontario health privacy breach law]

Horror Stories

US – Ransomware Hits California Hospital

Computer systems at the Hollywood Presbyterian Medical Center in southern California have fallen prey to ransomware. The systems have been offline for more than a week. Employees were not able to access patient files and the hospital declared the situation an internal emergency. The FBI, the L.A. Police Department, and cyberforensics experts are investigating. The attackers have demanded a ransom of 9,000 Bitcoins (approximately US $3.6 million) While the organization is dealing with the attack, its network is offline and “staff are struggling to deal with the loss of email and access to some patient data.” Some patients have also been transferred to other hospitals because of the attack, and registrations and medical records are currently being logged on paper. Meanwhile, a new study by the Cloud Security Alliance and Skyhigh has found that cybersecurity insurance makes companies more likely to pay in ransomware attacks. [CSO Online] [ZDNet] [ComputerWorld] [BBC] UPDATE: [LA Hospital Pays Hackers Nearly $17,000 To Restore Computer Network]

Internet / WWW

US – Google Says it Tracks Personal Student Data, But Not for Advertising

What does Google do with the personal information it collects from children who use Google products at school? Google provided some answers in a seven-page letter to Sen. Al Franken (D-Minn.), the ranking member of the Judiciary Subcommittee on Privacy, Technology and the Law. Google does not use K-12 students’ personal information to serve targeted advertisements, but Google does track data from students for other reasons, including developing and improving Google products. Such tracking happens when students are signed into their Google Apps for Education account but are using certain Google services — such as Search, YouTube, Blogger and Maps — that are considered outside Google’s core educational offerings. Thousands of K-12 schools and universities — and more than 30 million students and teachers — use Google’s Apps for Education, which the company provides to schools free of charge. Franken said that Google’s response was “thorough,” but said he will seek further clarification from Google about some of its privacy policies regarding student data. UC Berkeley students sue Google, alleging their emails were illegally scanned [The Washington Post]

US – 90% of Enterprises in U.S. to Increase Annual Spend On Cloud Computing

A new survey out of the U.S. identifies a cloud computing spending pattern – 90% of respondents say their companies plan to increase or maintain related budgets – that signals a growth opportunity for providers. Cloud service providers are advised to target opportunity in enterprise market, Washington, D.C.-based B2B research firm Clutch suggested in releasing its 2016 Enterprise Cloud Computing Survey last week. [Canadian Underwriter] See also: [Privacy, power concerns drive Canadian data center growth]

Law Enforcement

CA – Group’s Efforts to Review Ottawa Police Sexual Assault Cases Falls Flat

The Ottawa Police Service denied a group’s request to have full disclosure in reviewing sexual assault cases, citing privacy concerns as the main reason. Scassa, a law professor and member of the external advisory committee of the Office of the Privacy Commissioner of Canada, said the (external audit) model could be adopted in Ottawa if the advocates who review cases sign confidentiality agreements. The group that has been lobbying the Ottawa police to adopt the model said they would be willing to do that. “There’s nothing in Ontario privacy law that stops the police here from doing the same thing,” said Scassa. “I think there is a great tendency to use privacy as an excuse for not doing things, or for government institutions to use privacy as an excuse for not doing things they don’t want to do.” [MetroNews]

CA – Ontario Privacy Laws Hamper Social Agencies

The head of a St. Catharines social agency says more missing adults in Ontario could be found if government legislation did not prohibit sharing personal information with family members. “They have rights and responsibilities within the Mental Health Act that precludes us from going and taking them and forcing them into a situation that they’re not comfortable with.” Souter says it is important to respect the privacy of all people, but rules around confidentiality often put an individual at odds with his or her family. [CBC] [Ontario man missing 30 years suddenly remembers own identity] SEE ALSO: [B.C. privacy laws slow efforts to find, compensate children of missing women]

Location

CA – Waterloo Deploys ALPR on Delinquent Parkers

Delinquent parkers beware: it’s going to get a lot harder to dodge a parking ticket if you overstay your welcome in Waterloo’s free parking zones. A new license plate recognition vehicle will begin patrolling the streets in March. The vehicle will use specialized cameras to scan licence plates, capture the GPS coordinates of the vehicle and capture a before and after image of the vehicle’s wheels. It’s an initiative the city has been working on since 2011, said Waterloo’s manager of compliance and standards. Mulhern says part of why it took five years to get the program off the ground was the city’s dedication to ensuring all possible privacy concerns had been addressed. He said the city worked with the privacy commissioner to make sure the system was set up correctly and that data would be stored securely and for no longer than necessary. Labouring over those kinds of details seems to have paid off. When contacted by the CBC, Ontario Civil Liberties Association executive director Joseph Hickey said it appeared the city had addressed privacy concerns, and “therefore this is a minor issue for us.” The city plans to hold an open house Thursday at RIM Park from 12 to 8 p.m. for the public to see the new parking control system and ask questions. [CBC]

Privacy (US)

WW – EY Releases Report on Privacy Trends for 2016

EY has now released a report on privacy trends in 2016, called “Can privacy really be protected anymore?” Of those surveyed, nearly half said they were concerned with having a clear picture of where personal information is stored outside the organization’s systems and services. Additionally, nearly 40% expressed concern that there are not enough people to support their privacy program. “As the onus of accountability shifts from regulators to organizations,” the report states, “organizations need to take heed of where they are in terms of their privacy maturity and what they need to do to make privacy protection part of everything in an organization.” [Source]

US – Tech Company Settles FTC Charges for Installation of Apps Without Consumer Knowledge or Consent

General Workings Inc. entered into a settlement agreement with FTC for alleged violations of section 5(a) of the FTC Act. The company replaced a popular app with its own software program that automatically approved default permissions requests associated with apps that were then installed on consumers’ desktops and mobile devices; the company must delete all consumer personal information in its possession, custody or control, inform consumers of the types of information that will be accessed and display any permissions notice or approval requests prior to installation of the app. [FTC Settlement Agreement with General Workings Inc and Ali Moiz and Murtaza Hussain – File 152-3159] [Press Release] [FTC Complaint]

US — Privacy Owes Much to Attorneys General: Report

The University of Maryland Francis King Carey School of Law’s Danielle Keats Citron argues that state attorneys general are the unsung heroes of developing privacy law in her new research that has been posted to the Social Science Research Network, entitled “Privacy Enforcement Pioneers: The Role of State Attorneys General in the Development of Privacy Law.” In it, she writes, “Accounts of privacy law have focused on legislation, federal agencies, and the self-regulation of privacy professionals,” adding, “Crucial agents of regulatory change, however, have been ignored: the state attorneys general.” According to the SSRN abstract, “this article is the first in-depth study of the privacy norm entrepreneurship of state attorneys general.” [Full Story]

US – Tech firms Unite to Form Cybersecurity Coalition

Seven cybersecurity firms banded together to create the Coalition for Cybersecurity Policy and Law, a group committed to developing an online privacy framework with legislators. Cisco, Intel, Arbor Networks, Microsoft, Oracle, Rapid7 and Symantec are the organizations represented in the coalition, which was “founded on three major principles: stimulating the cybersecurity marketplace; encouraging cybersecurity innovation,” and encouraging other companies to embrace cybersecurity from the ground up. “The members of this Coalition are dedicated to building our nation’s public and private cybersecurity infrastructure, and their insight and engagement must play a vital role in the decisions being made by our government on cybersecurity policy,” said Venable’s Ari Schwartz, who serves as the coalition’s coordinator. [FedScoop]

NZ – Nudist Resort Removes Photos of Judge from Site

An unnamed judge recently spent time at the Pineglades Naturist Club in Rolleston where he was photographed lounging and playing games in the nude. The club had posted photos of the naked judge online for promotional purposes. However, the photos were removed from the club’s website after the newspaper made inquiries into them. The Guidelines for Judicial Conduct warn that a judge attracts more attention and scrutiny than most members of the community, so they should accept some restrictions on conduct and activities. The judge is unlikely to be punished though as there are no disciplinary mechanisms for enforcing the guidelines. [The New Zealand Herald]

Security

US – Cyber Threat Information Sharing Guidelines Released by DHS

This week, the Federal government took the first steps toward implementation of the Cybersecurity Information Sharing Act (CISA), enacted into law last December. CISA aims to encourage sharing of cyber threat indicators and defensive measures among private companies and between the private sector and the Federal government by providing liability protection for sharing such information in accordance with the Act.  The DHS Federal Register notice was published this morning here. As required by the Act, the government has released four pieces of guidance designed to assist companies and Federal agencies with respect to sharing, receiving and handling cyber threat information.

WW – Study: Leaked data quickly gobbled up in the Dark Web

Bitglass’ second annual “Where’s Your Data” study found that within “a few days” of leaking false user data, the information was accessed via the Dark Web in “20 countries and multiple continents.” “In total, the team tracked over 1,400 visits to the fake credentials, in addition to the fictitious bank portal,” the report states. The findings are evidence of the need for companies to properly protect their personal information. “Organizations need a comprehensive solution that provides a more secure means of authenticating users and enables IT to quickly identify breaches and control access to sensitive data.” [ZD Net]

Smart Cars

US – Verizon’s “Hum” Device for Your Car Will Rat Out Speeding Teens, Wandering Spouses

The $15/month Verizon “hum” service was originally launched to collect vehicle diagnostics, connect users to roadside assistance, provide maintenance reminders. But this morning Verizon announced that it will be adding a slew of new features for the hum, including: boundary alerts, speed alerts, vehicle location, and driving history. [The Consumerist] SEE ALSO: [Marc Garneau: Canada’s Senate To Study Rules Surrounding Driverless Cars]

Surveillance

WW – 519070 or Blank: The PINs that Can Pwn 80k Online Security Cams

Researchers say up to 80,000 digital video recorders (DVRs) used to record footage from surveillance cameras employ hardcoded passwords – or don’t use one at all – opening avenues for attackers to breach home and business networks and compromise privacy. In one examination, at least 46,000 DVRs were found open to remote hijacking through a hardcoded firmware username and password. Risk-Based Security chief researcher Carsten Eiram says most of the exposed cameras are operating in the US followed by the UK, Canada, Mexico and Argentina.  [The Register]

Telecom / TV

US – Coalition Calls FCC Set-Top-Box Proposal ‘An Assault’ On Privacy

Privacy advocates continue to criticize the Federal Communications Commission’s proposal for new set-top-box TV guidelines, calling them both “an assault on consumer privacy” and an outlet that lets “privacy scofflaws like Google” obtain greater swaths of user data, the Future of TV Coalition said. While FCC Chairman Tom Wheeler maintains the guidelines would have privacy protections, the advocacy group argues the overreaching consequences are too immense. “The Chairman’s approach creates a gaping hole in consumer privacy where none exists today, and leaves our personal viewing histories at the mercy of vast businesses built almost entirely on mining, exploiting, and profiling our personal data,” the Future of TV Coalition said. [MediaPost] [Lawmakers weigh in on FCC set-top box changes]

US Government Programs

US – Interim Guidelines for Cybersecurity Act Released by DHS

The Department of Homeland Security published interim guidelines that illustrate how the agency will collect data under the Cybersecurity Act of 2015. The act-mandated move was an attempt to assuage critics of the legislation, who fear it will conclude with even more citizen data collected by the agency. “We know many cyber intrusions can be prevented if we share cyber threat indicators,” said DHS Secretary Jeh Johnson. “Sharing this kind of information in real-time, and swiftly applying defensive measures, will allow both the government and private sector to more effectively prevent attacks.” The agency has until June to complete a more formal privacy guideline. [The Hill]

US Legislation

US – Roundup:

Workplace Privacy

US – Bosses Tap Outside Firms to Predict Which Workers Might Get Sick

In an attempt to curb the cost expended for health care, companies like Wal-Mart are employing data mining groups to analyze employee information that identifies those with potential health risks. “Companies say the goal is to get employees to improve their own health as a way to cut corporate health care bills,” the report states, but “privacy experts worry that management could obtain workers’ health information, even if by accident, and use it to make workplace decisions.” [Wall Street Journal] [US: Bosses Harness Big Data to Predict Which Workers Might Get Sick]

 

 

+++

 

 

08-14 February 2016

 

Canada

CA – OPC Wants Info on Agency Tracking Peaceful Protests

Canada’s privacy watchdog wants more information on a central government agency keeping tabs on peaceful protests. Privacy commissioner Daniel Therrien’s office has asked the Government Operations Centre (GOC) to review its tracking of lawful protest and dissent. The GOC provides 24/7 “situational awareness” for the federal government, and is supposed to help co-ordinate Ottawa’s response to natural disasters or threats to infrastructure. But in late 2014, it was revealed the GOC has collected information on more than 800 peaceful protests, demonstrations and academic panels since 2006. Documents tabled in Parliament in 2014 showed the GOC had information on events like a rally for veterans on Parliament Hill, a public panel discussion in Toronto on the oilsands, and a number of vigils and marches for missing and murdered indigenous women. In June 2014, the Ottawa Citizen reported that the GOC asked government departments for help in compiling a “comprehensive listing of all known demonstrations” across the country. The revelations drew the ire of the Liberals while in opposition. [The Star]

CA – Premier’s Office in Nova Scotia Broke Law, Privacy Czar’s Report Finds

The office of Nova Scotia Premier Stephen McNeil broke privacy laws when chief of staff Kirby McVicar publicly released sensitive medical information about a former cabinet minister, the province’s privacy commissioner says. McVicar resigned Nov. 24 after stating in several media interviews that Andrew Younger had a brain tumour and had been diagnosed with post-traumatic stress disorder. In a report released Thursday, privacy commissioner Catherine Tully concluded that McVicar violated provisions of the Freedom of Information and Protection of Privacy Act. “The report finds that the disclosure is a breach of the privacy rules,” the report says, though there is no mention of penalties or further investigation. McNeil, speaking after a cabinet meeting, challenged Tully’s main conclusion, saying his office was not to blame because McVicar took sole responsibility for his actions. [Source] [CBC: NS OIPC rules premier’s former chief of staff violated law]

CA – Ontario Professionals Obligated to Share Info About “At Risk” Children

The Information and Privacy Commissioner of Ontario has issued a guide for disclosure of information to child protection workers. Individuals with reasonable grounds to suspect a child is need of protection must immediately report the suspicion to a children’s aid society even if the information is confidential or privileged and despite provisions of any other act; institutions and custodians are protected from liability if they act in good faith and do what is reasonable under the circumstances. [IPC ON – Yes You Can – Dispelling the Myths About Sharing Information with Childrens Aid Society]

E-Mail

WW – Gmail Now Warns Users When They Send and Receive Email Over Unsecured Connections

Google is introducing new authentication features to Gmail to help better identify emails that could prove to be harmful or are not fully secure. The company said last year that it would beef up security measures and identify emails that arrive over an unencrypted connection and now it has implemented that plan for Gmail, which Google just announced has passed one billion active users. Beyond just flagging emails sent over unsecured connections, Google also warns users who are sending. Gmail on the web will alert users when they are sending email to a recipient whose account is not encrypted with a little open lock in the top-right corner. That same lock will appear if you receive an email from an account that is not encrypted. Last year, Google said that 57% of messages that users on other email providers send to Gmail are encrypted, while 81% of outgoing messages from Gmail are, too. Another measure implemented today shows users when they receive a message from an email account that can’t be authenticated. If a sender’s profile picture is a question mark, that means Gmail was not able to authenticate them. Authentication is one method for assessing whether an email is a phishing attempt or another kind of malicious attack designed to snare a user’s data or information. [TechCrunch] [Google Gmail Help]

Encryption

US – Lawmakers Seek to Loosen Encryption on Smartphones

A fight over encryption-protected smartphone data is heating up in California and New York where lawmakers and law enforcement groups are pushing bills to enable investigators to unscramble data to obtain critical evidence in human trafficking, terrorism and child pornography cases. The bills seek to loosen the powerful encryption tools major cell-phone manufacturers have put in place to protect a smartphone user’s privacy and guard against hacking. Supporters argue law enforcement needs access to data that can help them prove or solve criminal cases, while technology and privacy groups are concerned the legislation would put a user’s personal information at risk. [SF Chronicle] [Sen. Feinstein Says Terrorists Only Need The Internet and Encryption To Attack] [US Congress locks and loads three anti-encryption bullets] [Bill Would Ban State Efforts to Weaken Encryption]

US – New Bill Aims to Stop State-Level Decryption Before It Starts

Over the last several months, local legislators have embarked on a curious quest to ban encryption at a state level. For a litany of reasons, this makes no sense. And now, a new bill in Congress will attempt to stop the inanity before it becomes a trend. California Congressman Ted Lieu has introduced the “Ensuring National Constitutional Rights for Your Private Telecommunications Act of 2016,” which we’ll call ENCRYPT. It’s a short, straightforward bill with a simple aim: to preempt states from attempting to implement their own anti-encryption policies at a state level. We’ve outlined the reasons that a patchwork of state anti-encryption laws makes no sense before, but it’s worth a quick recap. Lieu himself considers there to be three main issues with allowing government backdoors generally. (He’s also, for what it’s worth, one of four sitting Congressman with a computer science degree). [WIRED]

WW – Report: A Worldwide Survey of Encryption Products

A report from Bruce Schneier, Kathleen Seidel, and Saranya Vijayakumar says that mandating backdoors in encryption products would hinder competitiveness for those countries while having little effect on criminals intent on using encryption products that are free of such weaknesses. “Anyone who wants to evade an encryption backdoor in US or UK encryption products has a wide variety of foreign products they can use instead.” [Schneier] [ArsTechnica] [The Register] [NBC News]

EU Developments

EU – WP29 Lays Out 2016 Action Plan for GDPR Implementation

Last week, the Article 29 Working Party published the group’s action plan for the implementation of the General Data Protection Regulation. The Privacy Advisor shares commentary from Falque-Pierrotin during last week’s presser and looks into the official release by the WP29 of its four action plan items, which include the establishment of a European Data Protection Board, preparation for a one-stop shop and consistency mechanism, guidance for controllers and processors, and the creation of an online communication tool around the EDPB and GDPR. [IAPP]

UK – Snooper’s Charter Given Thumbs Up by UK Parliament Report

The UK parliament has published a joint committee report that only feebly challenges the government’s draft Investigatory Powers Bill. In contrast to the scathing report by the Intelligence and Security Committee report published earlier this week, the joint committee accepts nearly all the arguments of the government and intelligence services for wide-ranging and intrusive surveillance powers. In response to the controversy and criticisms of the proposed Snooper’s Charter, the report simply says: “The public debate over these powers is a healthy one, and the Home Office should ensure that it and the security and intelligence agencies are willing to make their case strongly in the months ahead.” In the main, the joint committee calls for only minor tweaking of the plans, but does recommend that a post-legislative review of the Snooper’s Charter should be made five years after it has been enacted. It also wants it to be illegal to ask foreign agencies like the NSA to undertake surveillance that UK intelligence agencies are not authorised to undertake themselves. [Ars Technica] [UK politicians green-light plans to record every citizen’s internet history But recommend that no encryption backdoors should be installed] [Parliamentary Watchdog Savages Snoopers’ Charter: ‘Inconsistent and largely incomprehensible’]

EU – Facebook Ordered to Stop Tracking Non-Users in France

In a 16-page ruling issued this week, France’s CNIL found fault with data collection by Facebook at its own site, and at the sites of outside publishers with “Like” buttons. “While the purpose claimed by the company may seem legitimate (ensuring the security of its services), collecting data on browsing activity by non-account Facebook holders on third-party websites is carried out without their knowledge.” The regulator also said that Facebook violates EU privacy law by placing cookies on the computers of visitors to Facebook.com without first obtaining their consent. Last year, authorities in Belgium also ordered Facebook to stop tracking non-users. Several weeks later, Facebook began preventing non-account holders in Belgium from accessing Facebook.com. In the past, anyone in that country could access many Facebook pages found through search engines, including pages for small businesses, sports teams, celebrities and tourist attractions. The CNIL also said in its ruling that Facebook can’t send data about EU citizens to U.S. servers, due to a ruling last October that invalidated an agreement that enabled the data transfers. While EU and U.S. authorities recently negotiated a new agreement, it has not yet been finalized. [MediaPost] [French data privacy regulator cracks down on Facebook]

UK – UK and US Negotiating on Wiretap Orders and Warrants

US and UK negotiators are working toward an agreement that would allow MI5 to serve US companies with wiretap orders for communications of British citizens in counterterrorism investigations. The arrangement would also allow Britain to serve orders for stored data. The draft proposal would allow MI5 to access data stored on overseas computers that are run by American organizations. The proposal would allow US intelligence the same access in the UK. [The Register] [Wash Post]

Facts & Stats

UK – Data Breaches led 3 Million Brits to Switch Service Provider

In the UK, three million Brits have changed service providers as a direct result of data breaches, according to new research a by Privitar. Concerns over how personal data is stored, used and ultimately protected have led to growing discomfort among consumers, with findings suggesting that perceptions about how well organizations safe-guard their data is a significant consideration when customers are choosing a service. Despite this, more than half (52%) of the 2018 adults surveyed admitted that they struggle to find out how their data is stored and used by companies. With the GDPR due to be implemented across the industry in the coming months it appears companies are faced with the challenge of acting on data privacy and protection to win customer trust, thus avoiding customer churn. After all, 83% of respondents said they would look to switch to another service if they felt it could manage their data better.  [Infosecurity]

Filtering

EU – Google to Scrub Web Search Results More Widely to Soothe EU Objections

Google will start scrubbing search results across all its websites when accessed from a European country to soothe the objections of Europe’s privacy regulators to its implementation of a landmark EU ruling, a person close to the company said. To address the concerns of European authorities, the Internet giant will soon start polishing search results across all its websites when someone conducts a search from the country where the removal request originated, a person close to the company said. That means that if a German resident asks Google to de-list a link popping up under searches for his or her name, the link will not be visible on any version of Google’s website, including Google.com, when the search engine is accessed from Germany. [Reuters] [New York Times] [Google to honor RTBF requests worldwide, for European users]

Finance

UK – National Financial Crime ‘Taskforce’ Launched

The UK’s largest retail banks have joined forces with the Home Office, Bank of England and police to develop a coordinated approach to tackling fraud. Project Sunbird, a collaboration between the Western Australian Police and Western Australian government’s Department of Commerce, is able to analyse international transaction data to detect patterns consistent with fraud and pro-actively reach out to individuals who may have been victims. The new Joint Fraud Taskforce’s early work will focus on improving intelligence-sharing between the financial sector, government and law enforcement, in order to prevent fraudsters from exploiting gaps and vulnerabilities. It will also help to raise public awareness through a list of the 10 ‘most wanted’ fraudsters, and work to establish “a much richer understanding of how fraud happens, and what can be done to stop it”, according to the UK home secretary. Members of the taskforce include the City of London Police, National Crime Agency, the Bank of England, fraud prevention body Cifas, from Financial Fraud Action UK (FFA UK) and the chief executives of the major banks. The new taskforce will report to the Home Office, as well as publishing public updates, the home secretary told MPs. [Source]

Genetics

CA – Senate Bill Prohibits Employers from Taking Disciplinary Action for Employee Refusal to Disclose Genetic Test Results

Bill S-201, An Act to Prohibit and Prevent Genetic Discrimination has received second reading and been referred to the Standing Senate Committee on Human Rights. An employee’s refusal to undergo or disclose the results of a genetic test cannot be used to dismiss, suspend, demote or lay off an employee, impose any penalty on an employee, refuse remuneration, or threaten to take disciplinary action against an employee; no individual can disclose to an employer that an employee had undergone a genetic test or the results of an employee’s genetic test without written consent. [Bill S-201 – An Act to Prohibit and Prevent Genetic Discrimination – Senate of Canada]

Health / Medical

CA – Insurance Company Offers Rebates for Healthy Lifestyle

A Canadian insurance company is set to offer a new insurance program that rewards policy holders for healthy lifestyle choices such as regular exercise, getting an annual health screening or a flu shot. Ontario-based insurance giant Manulife is partnering with Vitality Group to bring the program to Canada, after rolling out similar systems in parts of Africa, Asia and the United States. The company said sign-up process is similar to many insurance policies, in that applicants take an online test to determine their level of overall health and then are offered a premium. Policy holders who enroll in the program receive personalized health goals and can log their activities using online and automated tools, which are integrated with the latest wearable fitness-tracking technology such as Fitbit, Manulife said. Officials at the Office of Canada’s Privacy Commissioner said while they have not studied the insurance product offered by Manulife, they would encourage people to carefully consider the potential implications before sharing any personal information – especially sensitive information. [Source]

US – Privacy Advocates Left Out Of NHS Care.Data ‘Oversight’ Board

Privacy advocates have been secretly expelled from the NHS’s care.data discussions group, while lobbyists backed by biotech corporations have kept their places at the table. The care.data Advisory Group was established in March 2014, after the scheme’s first collapse, as part of a process to get care.data – which intends to centralise patients’ health and social care data so it can be packaged and sold to private corporations – up and running again. A recent study into the scheme carried out by the University of Cambridge found that care.data was “launched in a contradictory regulatory landscape” and wracked with “unrealistic expectations” regarding the potential for patient health and social care data to be sufficiently anonymised when shared. [The Register]

US – Administrative Law Judge Affirms OCR Authority to Enforce HIPAA

An administrative law judge has upheld the authority of the Office for Civil Rights of the Department of Health and Human Services to enforce HIPAA regulations and impose fines, the second time a judge has made such a ruling in OCR’s favor. The decision means Lincare, a healthcare provider of respiratory care, infusion therapy and medical equipment to in-home patients, will have to pay $239,800 in civil money payments for an incident in which patient records were left unsecure. In the case, OCR charged that a Lincare employee took 278 patient records home and later left the records in the house after moving to live elsewhere. Another person who had lived in the home with the employee later found the records. An OCR investigation found that Lincare employees, who provide healthcare services in patients’ homes, regularly removed patient information from the company’s offices. “Further evidence indicated that the organization had an unwritten policy requiring certain employees to store protected health information in their own vehicles for extended periods of time,” the agency reported. “Although aware of the complaint and OCR’s investigation, Lincare subsequently took only minimal action to correct its policies and procedures and strengthen safeguards to ensure compliance with the HIPAA rules.” OCR reported that Lincare denied violating HIPAA, contending that patients’ protected health information was “stolen” by the individual who found the records in the home. In the ensuing court case, the administrative law judge ruled that Lincare was obligated to take reasonable steps to protect PHI. [Source] [Press Release | Notice of Proposed Determination | Decision]

Horror Stories

CA – Thermal Imaging May Lower Power Bill, But Raises Privacy Concerns

The City of Vancouver is beginning a new program that uses thermal imaging to identify older homes that are using excess energy. WATCH: Thermal imaging has been helping homeowners figuring out where they’re losing heat, so they can reduce their power bill, but it’s also adding concerns about a possible invasion of privacy. Beginning in April, the plan is to take images of up to 15,000 homes and then work with about 3,000 homeowners to make their spaces more green, by offering consultation and incentives. Higgins says the cameras can only detect heat, and the photos will only be shared with the homeowner. Once the 18-month pilot project is over, the images will be destroyed. [Global News]

US – Thieves Steal Tax Information from the IRS

The Internal Revenue Service was the target of an attack that used stolen social security numbers and other taxpayer data to obtain PINs that can be used to file tax returns electronically. The attack occurred in January and targeted an IRS Web application that taxpayers use to obtain their so-called Electronic Filing (E-file) PINs. The app requires taxpayer information such as name, Social Security number, date of birth and full address. Attackers attempted to obtain E-file PINs corresponding to 464,000 unique SSNs using an automated bot, and did so successfully for 101,000 SSNs before the IRS blocked it. The personal taxpayer data used during the attack was not obtained from the IRS, but was stolen elsewhere, the agency said in a statement. The IRS is notifying affected taxpayers via mail and will monitor their accounts to protect them from tax-related identity theft. [Source]

Internet / WWW

UK – Privacy Watchdog Warns That IoT Devices Can Track People

The UK ICO has told manufacturers of Internet of Things devices they should make better attempts to notify people that data could be collected on them. Simon Rice, technology group manager at the ICO, said that the IoT industry has to comply with data protection when collecting personal data. There could arguably be some confusion over what constitutes personal data and Rice set out a few examples of where data is personal and where it isn’t. What definitely is personal data are Mac addresses used in smartphones. “An IPv6 address could be personal as it would be specific to that device,” he said. He added that even if individual identification is not the intended purpose, the implications of IoT for privacy and data protection are still significant. [Source] See also: [IoT Could Be Used To Spy, Admits James Clapper] and [US intelligence chief: we might use the internet of things to spy on you]

WW – Data Security Concerns Remain Top Obstacle to IoT Initiatives

Despite the rapid growth of the Internet of Things, concerns over data security remain the number one obstacle to further development. That is the conclusion of a recent study by TEKsystems on the state of Internet of Things (IoT) initiatives. More than 200 IT and business leaders were polled by the Hanover, MD-based firm on project ownership, implementation status, risks, required skill sets and organizational preparedness. The purpose of this survey was to gain a better understanding of how organizations are being impacted by IoT, steps they are taking to prepare, resource barriers and challenges, as well as long-term IoT objectives. Key findings from the study are:

  • While 55% expect IoT initiatives to have a ‘transformational’ or ‘significant’ impact
    – just 22% of IoT initiatives have progressed to the implementation stage.
  • Information security and ROI are cited as the biggest hurdles to address
    – and information security experts are cited as the most difficult skill set to find.
  • Leadership of IoT initiatives still mostly reside with IT.
  • Two-Thirds expect IoT projects to be handled with internal staff, yet most organizations are not highly confident in their “in-house” preparedness [Source]

WW – IoT from “Sensor-to-Insight” to “Sensor-to-Action”

A few months ago, we passed an important milestone: For the first time in history, the mobile network traffic between machines had a higher volume than the mobile network traffic between humans. Imagine that… Internet-of-Things traffic surpasses the traffic generated by selfies, pictures of cute cats, text messages as well as all voice traffic in our mobile networks! Internet-of-Things has been a hot and exciting topic for quite a while, but now we see an important development that accelerates the IoT revolution: For a long time, the most common application for IoT has been to collect data. Sensors on various devices and machines have generated data, we have used clever technology to gather this data, send it to some central system and make sense of it. Let us call it “from Sensor to Insight”. What we see now is that we still gather data from remote devices and sensors, but the data can be used to trigger action. To execute business processes. Or influence already running processes. The focus of Internet-of-Things is moving, from “Sensor-to-Insight” to become “Sensor-to-Action”. [Source] See also: [FTC in no rush to regulate Internet of Things] See also: [Visceral data: After heartbreak, IoT devices give us ‘something to show’ ]

WW – GSMA Unveils IoT Security and Privacy Guidelines

The GSMA released guidelines designed to promote secure Internet of Things (IoT) service development and deployment, a sign that the mobile industry acknowledges a growing cybersecurity threat, as well as burgeoning consumer wariness around data privacy and IoT. The document was developed through consultation with the mobile industry. The rapid growth in IoT take-up increases the possibility of potential vulnerabilities, according to the GSMA. “These can be overcome if the end-to-end security of an IoT service is carefully considered by the service provider when designing their service and an appropriate mitigating technology is deployed.” The guidelines have been designed for all participants in the IoT ecosystem including service providers, device vendors and developers. As well as helping providers to build secure services from the outset, the guidelines also establish the need for assessing the risk of all components in an IoT service to ensure they are designed for secure data collection, storage and exchange. The guidelines went through a consultation with academics, analysts and other industry experts. [Mobile World]

Law Enforcement

US – New Report Shows the Limits of Police Body Cameras

The Brennan Center has just completed a study of the body camera policies in the 24 police departments around the country [PDF version] that have so far implemented them. Of the 24, 9 programs are still in the pilot stage. For comparison, the Brennan Center also included three model programs from the ACLU, the International Association of Chiefs of Police, and the Police Executive Research Forum. The authors of the study then broke the policies down into several charts, “Recording Circumstances,” “Privacy and First Amendment Protections,” “Accountability,” “Retention and Release,” and “Security.” [Wash Post] See also: [Survey: Almost All Police Departments Plan to Use Body Cameras] and [A separate effort by the Leadership Conference on Civil and Human Rights, a coalition of different advocacy groups, is tracking implementation of recommended body camera polices across 25 police departments].SEE ALSO: [Missouri Bill Permits Access to Recordings from Law Enforcement Body Worn Cameras: House Bill 2344, relating to body worn cameras and amending Missouri Revised Code in relation to public records, is introduced and read for a second time]

US – Nebraska Bill Permits Govt Use of ALPR Systems Subject to Restrictions

Legislative Bill 831, the Automatic License Plate Reader Privacy Act, is introduced and referred to the Judiciary Committee. Captured license plate data may only be used by specified law enforcement agencies for specified purposes (e.g. traffic violations, missing persons, stolen vehicles, criminal investigations, electronic toll collection, and controlling access to secured areas); law enforcement may only process privately held plate data no more than 14 days old and subject to a criminal warrant or court order. [Legislative Bill 831 – Automatic License Plate Reader Privacy Act – 104th Legislature of Nebraska]

Other Jurisdictions

WW – Privacy Bar Section of the IAPP Unveiled

IAPP has announced the launch of its Privacy Bar Section, which aims to serve the lawyers that compose more than forty percent of IAPP’s membership. In conjunction, the IAPP has also applied to the American Bar Association to have its privacy certification officially recognized as a legal specialty. [IAPP]

Privacy (US)

US – Obama Establishes ‘Cyber Czar’ and New Privacy Board

President Barack Obama is asking Congress to devote $19 billion to cybersecurity and is issuing new executive orders geared at the protection of both government and private computer networks. In one executive order, Obama directed agencies to implement the Cybersecurity National Action Plan. The CNAP is the broad plan that includes establishing the office of a federal chief information security officer, making budget requests and focusing on training opportunities. The federal chief information security officer marks the first time a senior official will be dedicated solely to developing, managing and coordinating the government’s cybersecurity strategy across multiple agencies, a “cyber czar” of sorts. A separate executive order will create the Federal Privacy Council, which is a multi-agency task force charged with coming up with policies to help the government fight hackers or identity thieves, while also protecting the privacy of individuals. The privacy council will report directly to the president. [The Blaze] [White House Executive Order on Privacy Falls Short]

US – ACLU, Tenth Amendment Center Take on Student Data Privacy

In consultation with the center — a think tank that advocates strict limits on federal power — the ACLU wrote model legislation that both organizations are urging legislators around the country to support. Parts of the bills aimed at bolstering student-privacy protections were written to ensure that “schools don’t become a Constitution-free zone,” and that companies that want to collect student data must first get explicit permission. Over the past two years, 32 states have enacted some sort of data-privacy law, according to the Data Quality Campaign. Some of those laws have been sweeping, such as California’s Student Online Personal Information Privacy Act, which has drawn particular praise from privacy advocates. Other laws are much weaker, experts say. To work around a lack of movement at the federal level over data-privacy protections for students, the activists and lawmakers working with the two organizations are calculating that if they get enough states to adopt a stricter slate of privacy expectations for vendors, companies will have little choice but to raise their standards to a level nationally that would allow them to work in any state. Tthe proposed legislation focuses on stepping up safeguards in four specific areas:

  • Parental or student consent to release student data for noneducational purposes or to third parties;
  • Limits on information that can be gleaned from computing devices loaned to students;
  • Protections from warrantless searches of students on campus; and
  • Restrictions on access to student postings that are behind privacy settings on social media.

The model legislation also calls for professional development to help teachers familiarize themselves with basic student-data-privacy concepts. The Future of Privacy Forum — a Washington-based think tank and a co-author of the Student Privacy Pledge, a commitment by ed-tech companies to safeguard data — offered a measured endorsement of the provisions in the ACLU’s model bill. [Source] See also: [Senate Bill 2171 – Student Privacy in Take-Home Technology Programs – State of Rhode Island General Assembly]

US – ACLU publishes updated privacy guide

The ACLU of Southern California announced its publication of the third edition of “Privacy and Free Speech: It’s Good for Business,” the organization reports on its website. The guide includes “more than 100 case studies and cutting-edge recommendations on everything from privacy policies to security planning to community speech standards,” the report states. “By following some pretty simple steps to incorporate privacy and free speech protections into products, businesses can make their services user friendly and avoid costly mistakes,” the report continues. “As the primer illustrates, doing so is not just good on principle — it’s good for business, too.” The primer is available for free online. [ACLU]

Privacy Enhancing Technologies (PETs)

WW – Britain’s First Anonymous Search Engine

Oscobo is the only UK-based Privacy Search Engine that does not track or store users’ data. The company was founded on the belief that personal data should remain just that, personal, and has set out to turn the tables to favour the Internet user instead of serving interests of big companies. This article will highlight the importance of understanding how user data is being tracked and used by search engines, and how using an anonymous option has clear benefits. [Source]

Security

EU – NIS Directive Establishes First EU-Wide Cyber Security Rules

In December 2015 the EU institutions came to an agreement on the Network and Information Security Directive, establishing a set of EU-wide rules on cyber security for the first time; formal adoption of the Directive by the European Parliament and the Council of the EU is pending at the time of publication. For those businesses that fall under its scope, such as search engines and cloud computing providers, the advent of the NIS Directive will mean that incident handling and notification will take on a more serious role than previously, and numerous security obligations will need to be satisfied. [FieldFisher Privacy Law Blog]

WW – Firms Feel More Confident In Ability to Thwart Data Breaches: Study

A majority of organizations believe they will be more secure against data breaches in 2016, despite the fact that nearly three-quarters of organizations experienced a security threat last year. Why the seeming disconnect? A growing number of organizations are investing in more advanced security solutions and are ramping-up end user training around data security best practices. Those are among the findings of the recent study “Battling the Big Hack“ from Spiceworks, which looked at IT professionals’ perceptions of the biggest IT security threats and the steps they’re taking to prevent security incidents and breaches within their organizations. The study found that while 80% of organizations experienced a security incident in 2015, 71% of IT professionals expect their organizations to be more secure in 2016. There is also good news in the study. “In order to protect end users from breaches on various devices in the workplace, 73% of IT professionals are enforcing end-user security policies and 72% are regularly educating their employees through lessons on topics such as ‘how to avoid malware’ and ‘how to spot phishing scams,’ the study noted. [Source]

WW – Infosec Pros Still Pressured to Release Unsecure Projects: Survey

Despite an increase in the number of data breaches last year infosec pros say they continue to be pressured by the business side to release projects that aren’t fully secure, according to an international survey. The survey, paid for by Trustwave, showed that 77% cent of respondents in five countries — and 7% of Canadians — felt either frequent or periodic pressure to roll out IT projects that weren’t security ready. The good news is that the majority agreed it was once or twice rather than frequently. However, if a bug slips by that could be once too many. Released this week, the survey questioned 1,414 in-house information security professionals from around the world including 210 from Canada. Others were in the U.S., Britain, Australia and Singapore. [IT World Canada]

WW – Removing Administrator Rights Mitigates Most Windows Vulnerabilities

According to a recent report, 85% of critical vulnerabilities in Windows last year could have been mitigated by eliminating administrator rights. Nearly all critical flaws affecting Internet Explorer (IE) could have been mitigated with the same action. [ZDNet] See also: [2009 report states that 92% of critical vulnerabilities would be mitigating by reducing the privileges for users on their systems] and [this guide from the NSA in 2013 also recommends reducing the use of local admin accounts. The use of local admin accounts is a prime example of how ease of use wins out over security. Microsoft has published some guides on how to manage this issue. [TechNet] [Technet]

US – DHS, FBI Employee Data Exposed

Someone posted personal information that seems to cover more than 9,000 US Department of Homeland Security (DHS) employees and 20,000 FBI employees online. The self-proclaimed attacker said that the information was taken from a Department of Justice (DOJ) computer using a compromised DOJ email account. [CNET] [DarkReading] [The Hill] [The Hill] [ComputerWorld] [vice.com]

Smart Cars

EU – European Multi-Stakeholder Group Releases Connected Vehicles Report

In December 2015, a multi-stakeholder group called “C – ITS Working Group 6” created in the context of the ITS and eCall working groups published a report on the possible ways that access might be granted to the data generated by connected cars. European Regulation 758/2015 requires the development of an “interoperable, standardized, secure, open-access platform” for the sharing of data. Originally, the work regarding the data sharing platform was related to the eCall directive, which requires cars to be equipped with communication devices that automatically communicate with emergency services in the event of a serious accident. However, Regulation 758/2015 mandates interoperable, standardized, secure, and open access platforms in the broader context of connected car data, including access to telematics data. [Source]

Surveillance

US – Dstillery Uses Iowa Caucus Data to Paint Voter Picture

In a Marketplace report, “data intelligence” and targeting ad firm Dstillery CEO Tom Phillips discusses how the organization employed data analysis technology to find correlating voter traits from participants in the Iowa caucus. “We watched each of the caucus locations for each party and we collected mobile device ID’s,” Phillips said. “It’s a combination of data from the phone and data from other digital devices.” The result? “NASCAR was the one outlier, for Trump and Clinton,” Phillips said. “In Clinton’s counties, NASCAR way over-indexed.” While Dstillery has only taken a look at Iowa voters, it “anticipates compiling voter data in other primaries” depending on candidate interest, the report states. [Source]

US Government Programs

US – White House Plots Privacy Updates for 2016

Marc Groman, who advises the White House on privacy issues, is focusing on delivering fundamental changes to privacy policy in government operations, including IT, in the next 11 months before President Barack Obama leaves office. “Privacy is not a subset of cybersecurity or IT,” said Groman, senior adviser for privacy at the Office of Management and Budget, during a Department of Homeland Security Data Privacy and Integrity Advisory Committee presentation on Feb. 8. “It has to move with those, but it needs its own council.” He was referring to the Federal Privacy Council, which was announced in December 2015 by OMB Director Shaun Donovan. It will be modeled on the CIO Council and will seek to bolster privacy best practices and operations in the federal government. The council will also try to capitalize on individual agencies’ advances in privacy policy, transform those strategies from reactive to proactive and “professionalize” privacy roles in the federal government, Groman said. “We want to shift from an environment of one-time compliance to one of ongoing risk-based” management that incorporates continuous reevaluation of privacy plans, he added. [FCW]

US Legislation

US – Senate Passes Privacy Bill Key to Two International Agreements

The Judicial Redress Act, which gives EU citizens the right to challenge misuse of their personal data in U.S. court has long been a stated requirement of the umbrella agreement, which would allow the U.S. and EU to exchange more data during criminal and terrorism investigations. Its role in the final approval of so-called Privacy Shield, struck last week, is murkier. The deal replaces a 2000 agreement that permitted some 4,400 U.S. firms to legally handle European citizens’ data, struck down by the EU high court in October over privacy concerns. The bill is also a prerequisite of a law enforcement data-sharing “umbrella” agreement reached last fall. [The Hill] See also: [Judicial Redress Act Would Extend Privacy Act Remedies to Citizens of Designated Foreign Nations] [Senate, House OK Judicial Redress Act, send to Obama to sign] [Laws to give EU citizens right of redress in the US over data handling move closer]

+++

 

 

01-07 February 2016

Biometrics

EU – Revised Edition of Biometric Privacy Guidelines Now Available*

The Biometrics Institute has completed revisions on its Biometrics Privacy Guidelines, Biometric Update reports. The guide is a document comprising 16 principles that assist users “across many different countries and jurisdictions,” considering that “biometrics and information technologies do connect beyond national boundaries and across different fields as diverse as health records, border controls, retail, consumer based applications in the telecommunications industry, finance and banking and driver’s licenses,” the report states. “It is the public’s assurance that the biometric managers have followed best practice privacy principles when designing, implementing and managing biometric based projects,” said Biometrics Institute CEO Isabelle Moeller on the guide’s update. The resource is only available to Biometrics Institute members. [Biometric Update] [Biometrics Institute Issues Privacy Guidelines] * To Biometric Institute Members only

WW – New App Employs Selfies to Help Users Find Pictures of Themselves

Waldo, a free app hitting iPhones this spring, utilizes a selfie and location data to find other pictures of the user that have been uploaded to the service. It primarily scours public events, like concerts, for pictures of users, alerting them when it finds their photo elsewhere. The technology has already garnered comparisons to Facebook’s Moments app. However, Waldo’s CEO maintains that the app is aimed toward simplifying a user’s social media experience. “We’re going to make it really painless to get those so you’re not constantly nagging and saying, ‘Hey, will you text me that photo from that party the other night?’“ [MIT Technology Review]

Canada

CA – Ontario Court Expands Scope of Privacy Tort to Include ‘Revenge Porn’

A recent ruling that found a man financially liable for posting a private sex tape of a former girlfriend online is being hailed as a case that is the first of its kind in Canada. Experts are calling the decision a win, which makes sense given we live in an age where there is a rapidly climbing sensitivity to victimization of all kinds, particularly in social media. “Personal and private communications and the private sharing of intimate details of person’s lives remain essential activities of human existence and day to day living. To permit someone who has been confidentially entrusted with such details — and in particular intimate images — to intentionally reveal them to the world via the Internet, without legal recourse, would be to leave a gap in our system of remedies,” said the ruling. “I therefore would hold that such a remedy should be available in appropriate cases.” [Source]

CA – Tax Agency Staffer Gone After Taxpayer Data Leaks to CSIS

No one’s saying much about what happened and who’s been held accountable for several breaches of taxpayer privacy at the Canada Revenue Agency. The privacy breaches came to light last week in the annual report of the watchdog for CSIS, Canada’s spy agency. The report described how intelligence officers, repeatedly and without a warrant, improperly obtained taxpayers’ information. Canada Revenue Agency has confirmed that an employee implicated in a leak of taxpayer information to CSIS is no longer with the tax agency. When CRA was asked what happened on its side, and whether anyone has been fired or disciplined, a spokesman responded, “The employee is no longer with the agency (…) For more information about the incident, please contact CSIS.” A follow-up question about whether the former employee had taken the well-worn path of resigning or retiring before being fired, prompted a politely worded response from Brideau that the agency won’t be able to provide such details. The public may learn more if Canada’s Privacy Commissioner decides to investigate. [Source] [CRA doesn’t even know what taxpayer information it shared improperly with spy agency]

Consumer

US – How You Handle Data Privacy, Security Is Key to Customer Loyalty

How your organization handles issues related to data privacy and data security will have an enormous impact on the willingness of consumers to do business with you. That is one of the key findings of a new study by New York-based Morrison & Foerster. The firm has just released the results of its latest consumer survey on privacy. The survey, “Morrison & Foerster Insights: Consumer Outlooks on Privacy,” examines the attitudes and concerns that U.S. consumers across the country have regarding multiple privacy-related issues, such as the disclosure of personal information, data breaches, and privacy policies. The study results offer some important lessons for IT and data professionals. “The findings indicate that a significant percentage of the American people continue to be concerned about numerous facets of security.” [Source] [MoFo]

Encryption

UK – Communication Providers Should Not Have to Decrypt Messages: MPs

The UK Science and Technology Committee, which has assessed the technical feasibility of the draft Investigatory Powers Bill, said, though, that the new laws should allow intelligence agencies to request that communication providers decrypt data they have encrypted “in tightly prescribed circumstances”. New UK surveillance laws should not impose obligations on communication providers to decrypt messages sent over their networks if they have not added the encryption to those messages, a committee of MPs has said. Giving evidence in December to another parliamentary committee that is scrutinising the Bill, Vodafone raised concern about provisions of the draft laws that would force communication network operators to decrypt communications sent over their networks via other communication services, like Skype and WhatsApp, if requested to do so. In its report, the Science and Technology Committee said that there is a lack of clarity in the current draft of the Bill with how some terms are defined as well as over “the extent to which ‘internet connection records’ (ICRs) will have to be collected” by communication providers. [Source]

EU Developments

EU – The “Privacy Shield” Faces an Uphill Battle

This week, European VP Andrus Ansip and Commissioner Vera Jourová announced that the EU Commission had approved a political agreement on what will henceforth be known as the “EU-US Privacy Shield.” Over the coming weeks they will have to draft a fresh EU Commission adequacy decision to replace the previous “Safe Harbor” decision, which the Court of Justice of the European Union found invalid in Schrems. There is already speculation that the validity of this new decision will itself be challenged in the CJEU; as much is clear from discussions in the European Parliament the night before. So Ansip and Jourová will need to draft as robust a decision as they can, if that decision is to withstand review by the CJEU. [IAPP] [How sturdy is the Privacy Shield?] [FTC, DoC answer Privacy Shield questions] [EU DPAs respond to Privacy Shield; BCRs are a go, for now] [EU-US Privacy Shield scrutinized in Article 29 Working Party initial response] [Deal on EU-US Privacy Shield leads EU watchdogs to extend moratorium on data transfers enforcement action] [EU-US Data Transfers Won’t Be Blocked While Privacy Shield Details Are Hammered Out, Says WP29] [Privacy Shield mauled by European tech suppliers but successor to Safe Harbour agreement cheered by US firms] [FTC Commissioner Julie Brill comments on EU-US Privacy Shield] [What businesses need to know about Privacy Shield] [The EU-US Privacy Shield. Not quite there yet!]

UK – Investigatory Powers Bill Loopholes Will Lead to Unbridled Surveillance

The House of Commons Science and Tech Committee has published its report on the draft Investigatory Powers Bill, influenced by comments submitted by 50 individuals, companies, and organizations. The report is the first of three investigations by different Parliamentary committees. While it was intended to concentrate on the technological and business ramifications of the bill, their conclusions reflect the key concern of lawmakers, companies, and human rights groups about the bill’s dangerously vague wording. The Investigatory Powers Bill, as written, is so vague as to permit a vast range of surveillance actions, with profoundly insufficient oversight or insight into what Britain’s intelligence, military and police intend to do with their powers. It is, in effect, a carefully-crafted loophole wide enough to drive all of existing mass surveillance practice through. Or, in the words of Richard Clayton, Director of the Cambridge Cloud Cybercrime Centre at the University of Cambridge, in his submissions to the committee: “the present bill forbids almost nothing … and hides radical new capabilities behind pages of obscuring detail.” The series of successful challenges in the UK and EU against previous surveillance law and practice shows that vague and unbounded language cannot survive a serious challenge in the courts. If the UK government wants its surveillance rules to stand the test of time, it needs to build them on a firm foundation of clarity, necessity, and proportionality. [Source]

EU – Companies Subject to Multiple EU Data Protection Regimes: Watchdog

Companies that are operational in multiple EU countries can be forced to comply with each of the different national data protection laws that apply in the countries in which they operate, according to new guidance. The Working Party’s guidance also explained how EU data protection laws can apply to non-EU based companies, even if they process personal data outside of the EU. In this context the guidance expands on a 2014 case involving internet giant Google in which the CJEU ruled that Google was subject to Spanish data protection laws despite the company not processing any personal data in the country. The CJEU assessed the fact that Google had a Spanish subsidiary based in Madrid that promoted and sold advertising space for its search service when arriving at its decision. [Out-Law]

Health / Medical

US – Obama: ID Theft Victims Should Have Access to Thieves’ Medical Records

The Obama administration says those who’ve had their identities stolen have the right to review and correct their medical records and also have the right to look at the medical records of those who stole their records. To date, it’s been difficult at times for victims of ID theft to correct their records because they haven’t been able to access the thieves’ medical data because of health care privacy laws. The Senate Health, Education, Labor and Pensions Committee has been looking at ways to help victims of medical identity theft, and the Obama administration — recently criticized by Republicans for not doing enough on the issue — outlined the policy in a letter to the committee. [Wall Street Journal] [FierceHealthIT]

ON – Hospital Improperly Refused to Disclose PHI Because They Consist of Mental Illness Records: IPC ON

This IPC decision reviews the Halton Healthcare Services’ handling of a request for disclosure of health information pursuant to the Personal Health Information and Protection Act. The hospital, which must re-exercise its discretion, relied on irrelevant considerations in deciding against disclosure, such as the fact that there was an the absence of “specimens” and the records are about mental illness; some mental illnesses seem to run in families and it is possible that the PHI may be relevant to health care decisions by family members. [IPC ON – PHIPA Decision 21 – Halton Healthcare Services]

CA – OIPC BC Determines Public Body Did Not Follow Privacy Policies

The BC Office of the Information and Privacy Commissioner investigated the Ministry of Education for failure to protect personal information in its custody. A hard drive containing student personal information (i.e. names, dates of birth, gender, financial aid data, special needs, health and behaviour issues and personal education numbers) went missing; the Ministry should conduct mandatory training with periodic refresher courses, maintain an accurate inventory of personal information assets and store mobile storage devices in a government-approved facility. [OIPC BC – Investigation Report F16-01 – Ministry of Education] See also: [Privacy breach in B.C. points to need for policies in Yukon: commissioner]

UK – Health Care Breaches on the Rise

Healthcare is responsible for more data breaches than any other UK sector, and the number of cases is rising fast. There were 734 instances in 2014, and year-on-year numbers doubled from April-June 2013 to the same quarter the following year. UK trends could be set to follow those of the United States, where 91% of healthcare organisations have suffered at least one data breach in the past 2 years, and 40% have suffered more than 5 incidents. More importantly, mistakes and negligence are no longer the principle cause: criminal attacks on the healthcare sector have increased by 125% since 2010. Hackers can also steal far more information than is usually lost in error: the recent attack on Excellus is believed to have involved up to 10 million individual records. [Source]

Horror Stories

US – Health Insurer Loses Hard Drives with 950,000 Medical Records

Health insurer Centene Corp. is hunting for six computer hard drives containing the PHI records of about 950,000 individuals, the company said Monday afternoon. The drives were being used in a data project that sought to utilize lab test results to improve members’ health outcomes. The records on the missing drives include individuals’ names, dates of birth, Social Security numbers, member ID numbers and unspecified “health information.” [Source]

Identity Issues

CA – BCCLA Raises Privacy Concerns Over Compass Card Tracking

The BC Civil Liberties Association is warning the public about a possibility of a privacy breach for people using Compass Cards. BCCLA claims it is possible to track travel history by simply obtaining a person’s Compass Card. The BCCLA says they are concerned about abusive partners, stalkers or police abusing the system to track someone’s movement. The BCCLA is recommending people pay cash for the card or use cash to buy single-use Compass tickets if they want to make sure their name is not linked to a travel itinerary.[Source]

Internet / WWW

WW – The Case for Ethical Standards in (Big Data) Analytics

A paper by Carnegie Mellon researchers raised a red flag about the analytics behind Google job search ads, revealing that Google’s analytical modeling serves ads for a career coaching service for higher-paying jobs to men more frequently than it does to women. Other research and publications have also pointedly raised concerns and risks regarding the perils associated with breaches or questionable use of data. [Source] [“Automated Experiments on Ad Privacy Settings“]

Law Enforcement

US – EFF and ACLU Say Milwaukee Police Used Stingray Without a Warrant

The Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU) have filed an amicus brief in the US Court of Appeals for the Seventh Circuit, alleging that the Milwaukee, Wisconsin police department used a stringray without first obtaining a warrant. [SCMagazine]

US – Berkeley Students File ECPA Suit Against Google

Four U.C. Berkeley students and an alumni have filed a lawsuit against Google accusing it of targeting U.C. Berkeley emails for data mining between 2012 and 2014. The suit follows complaints in 2014 that Google was scanning emails in “Apps for Education,” when nine plaintiffs accused the company of collecting their information for advertising without their consent. In this most recent suit, the plaintiffs say Google’s alleged email scanning violated the Electronic Communications Privacy Act. They say a 2014 post by Google acknowledging it had scanned Apps for Education emails is proof. Google said it doesn’t comment on pending litigation. [The Daily Californian] [Class Action lawsuit webpage] [U of Big Brother? ]

Online Privacy

WW – Extension Allows Users to Block Ads and Avoid Online Tracking

A new Firefox extension called Decentraleyes is aimed at helping users block ads and avoid being tracked online. The tool is free and available for Firefox users. It allows for the loading of content delivery networks with direct access to them, meaning users aren’t tracked once they’ve visited a site. While many sites “chose to host critical libraries on external services, like Google Hosted Libraries, to improve load times and ensure they don’t go down,” doing so “provides another avenue for companies to track the sites you visit.” Decentraleyes stores commonly used files locally “instead of from remote sources” to circumvent that problem. [The Next Web] See also: [Privacy Badger]

WW – Service Creates Ad-Blocker Workaround

Softpedia reports on a new service aimed at “helping online publishers counteract users that employ ad-blocking browser extensions when accessing their sites.” BlockBypass was developed by BlockIQ and responds to the proliferation and usage of ad-blocking extensions, which, according to one study, went up 41% in 2015 compared to the year prior. The trend led to a loss of $21.8 billion in ad revenue. The BlockBypass technology “would allow publishers to hide the location of the ad server from where the ad is being downloaded,” and will sit between the user and the ad server. [Softpedia]

Privacy (US)

US – Where do US Presidential Candidates Stand on Privacy and Surveillance?

Through the various debates and out on the campaign trail, the U.S. presidential election has begun to feature topics of privacy and cybersecurity. Sophos’ Naked Security blog rounds up each candidate’s stance in neat fashion. Republican Ted Cruz, who topped the recent Iowa caucuses, has publicly “opposed many politicians in his own party who were calling for expanded government surveillance powers.” Donald Trump, meanwhile, has called for “closing that Internet up” and said Americans “would be willing to give up some privacy in order to have more safety.” On the Democratic side, Hillary Clinton has “taken a hard line on NSA leaker Edward Snowden” and Bernie Sanders “voted against the USA PATRIOT Act in 2001 and 2006.” [NakedSecurity] See also: [Five senior U.S. administration officials, announced the National Background Investigations Bureau, which will conduct all background checks on federal employees and contractors going forward].

Privacy Enhancing Technologies (PETs)

WW – Google Expanding Safe Browsing in Chrome

Google’s safe browsing technology will now cover online advertisements that try to trick people into entering account access credentials or downloading malware that pretends to be a legitimate software update. If a site is deemed to be deceptive, Chrome will display a red screen and a text warning. [Source]

Smart Cars

EU – German DPA Issues Joint Declaration with Automotive Industry

The data protection authority in Germany issued a joint declaration with the Association of the Automotive Industry on the privacy aspects when using connected and non-connected vehicles. Organisations storing data collected from vehicles should inform individuals of how to exercise access rights and what measures will be taken if the database is lost or stolen; informed consent should be obtained when the vehicles are purchased and users should be able to change or reset settings on any user-entered information (i.e. navigation data and email or messaging contacts). [DPA Germany – Joint Declaration of the Conference of Independent DPAs of the Federal and State Governments and the Association of the Automotive Industry] (in German)

Surveillance

US – Felon’s Lifetime GPS Monitoring Upheld by US Federal Appeals Court

A federal appeals court is upholding lifetime GPS monitoring of a convicted felon, in this instance a Wisconsin pedophile who served time for sexually assaulting a boy and a girl. The court upheld the constitutionality of a Wisconsin law that, beginning in 2008, requires convicted pedophiles to wear GPS ankle devices for the rest of their lives. A federal judge had sided with the offender. Wisconsin appealed to the 7th US Circuit Court of Appeals, which ruled in the state’s favor and derided the lower court’s ruling as “absurd.” Among other things, Belleau said the GPS device violated his privacy because he had served his time and was not on post-prison supervision. The three-judge appeals court did not agree. The court’s reasoning, however, could apply to other criminals who have a propensity to reoffend. The court said that the burden on privacy “must in any event be balanced against the gain to society from requiring that the anklet monitor be worn. It is because of the need for such balancing that persons convicted of crimes, especially very serious crimes such as sexual offenses against minors, and especially very serious crimes that have high rates of recidivism such as sex crimes, have a diminished reasonable constitutionally protected expectation of privacy.” [Ars Technica]

WW – Fitness Trackers Put Users’ Health Data at Risk, Study Suggests

A recent study out of the University of Toronto suggests that wearable devices are full of security holes. The study, conducted by digital research group Open Effect and U of T’s Citizen Lab, found that many of the most popular devices leak information and are vulnerable to manipulation of recorded data. The devices, which can track everything from heart rate to quality of sleep, collect fitness data that wearers use to keep track of their health goals. These trackers aren’t just for the health conscious: lawyers and insurance companies have used data to verify users’ fitness. But while the devices collect an enormous amount of personal health information, key security flaws make it easy to tamper with the data, the study found. Only the Apple Watch received a clean bill of health from researchers because it connected to other tech, such as cellphones, anonymously. [Source]

WW – Berlin Group Issue Recommendations on with Intelligent Video Analytics

The International Working Group on Data Protection in Telecommunications (the “Berlin Group”) issues a working paper on intelligent video analytics technologies by both private and public sector. Privacy implications include a chilling effect, interference with fundamental rights, and lack of public awareness of collection practices; recommendations include respect for the principle of lawfulness and fairness through adequate transparency mechanisms (e.g. use a layered notice), and the principle of proportionality (e.g. apply data minimization practices). [Working Paper on Intelligent Video Analytics]

UK Privacy Watchdog Warns Consumers That Shops Can Track Them

The UK’s privacy watchdog has warned that facial recognition software and handset identifiers broadcasted via Wi-Fi are allowing UK retailers to track and target customers through their smartphones. “This technology, which is starting to be rolled out in shops, allows retailers to use the customer journey to build up a picture as to how people typically use the store. It uses the MAC address of a smartphone which can, in many cases, be linked to a specific individual,” says Simon Rice, group manager for technology at the UK ICO. The technology has also been implemented in airports, transport hubs and using city-wide Wi-Fi networks. The ICO warns that smart CCTV systems and facial recognition cameras are capable of identifying individuals, and similar technology is used on the internet to target adverts at uses based on their behaviour instead of their faces. [Out-Law]

WW – Retailers Urged to Notify Customers of Mobile Tracking

Retailers have been urged to create a standard symbol, similar to the one used to denote the use of CCTV, to inform customers that their location within shopping areas is being tracked through their mobile device. The recommendation was contained in a new working paper that has been issued by an international working group on data protection in telecommunications on the topic of location tracking from communications of mobile devices. The working group’s paper said retailers should not “seek to collect and monitor outside their premises” and can avoid doing so “through careful placement of receivers, limiting data collection through a sampling method and to specified time periods or times of day.” [Out-Law]

US – At Berkeley, A New Digital Privacy Protest

After hackers breached the computer network of the U.C.L.A. medical center last summer, Janet Napolitano, president of the University of California, and her office moved to shore up security across the university system’s 10 campuses. Under a program initiated by Ms. Napolitano, the former secretary of Homeland Security in the Obama administration, the university system began installing hardware and software in its data centers that would monitor patterns of digital traffic, like what websites are being visited by faculty and students, or telltale signs of cyber intruders. The program, which was begun with little notice or consultation, soon rankled a group of professors at one campus, Berkeley, which has a deep-seated ethos of academic freedom as the cradle of the free speech movement in the 1960s. The faculty group of 11 professors critical of the monitoring program said the university system enacted the program largely in private, with little transparency about what data is being collected. The monitoring could compromise and constrain academic freedom to research topics that some find objectionable, among other repercussions, they said. In a formal meeting with the University of California’s chief information officer in December, the professors asked for the program to be halted. [New York Times]

Telecom / TV

US – Judge Says You Have No Expectation of Privacy When Using Tor

Last week, a federal judge in Washington state issued a baffling opinion suggesting that you don’t have a reasonable expectation of privacy when using Tor, the widely-used anonymity software literally designed to give its users privacy. The judge bizarrely argued that Tor doesn’t give its users complete anonymity because a user has to give their IP address to their ISP to connect to the Tor network. Therefore, he concluded, Michaud’s IP address was “public information, like an unlisted telephone number” that “eventually could have been discovered.” This makes no sense to anyone with a basic understanding of how Tor works. [Source]

Workplace Privacy

CA – Ontario Tribunal Grants Employer Access to Employee Health Information

The Toronto Transit Commission requested that the Human Rights Tribunal of Ontario grant access to an employee’s personal health information. The Order permits the employer to access and disclose the employee’s information in its occupational health file, to meaningfully respond to allegations of discrimination; access and disclosure is granted to the employer’s advisors, individuals giving instructions to counsel, and potential witnesses. [Scott Coutts v. Toronto Transit Commission and Amalgamated Transit Union Local 113 – 2016 HRTO 7 – CanLII – Human Rights Tribunal of Ontario] See also: [European Court of Human Rights Decides that Accessing an Employee’s Work IM Account Did Not Breach His Privacy Rights]

+++

 

16-31 January 2016

 

Biometrics

US – Facial Recognition Systems Coming to All American Airports

After a favorable test run at the Washington Dulles International Airport in 2015, the Department of Homeland Security announced that it would be implementing facial recognition technology in all American airports of entry for foreign visitors and U.S. citizens. The “incremental” implementation will begin at the John F. Kennedy International Airport in New York City by the end of the month. While the DHS’s privacy impact assessment says the system won’t store the photos if “they do not result in an enforcement or administrative action,” privacy advocates such as the ACLU argue that this could be the first small step toward increased surveillance. [Fedscoop]

Big Data

WW – Big Data Report Roundup

The past two years have brought continuous policy discussion around the benefits and challenges that accompany this growing use of big data analytics. The White House and the FTC released reports on big data and data brokers in early 2014. Since then, policymakers and wonks of all stripes have weighed in on the subject, frequently highlighting one of the most contentious topics raised by these studies: how to ensure that the increase in automated decision-making does not result in unfair, unethical, or discriminatory effects for consumers. Early in these conversations, a coalition led by the Leadership Conference for Civil Rights released a set of civil rights principles for the era of big data that established broad guidelines for how to avoid having a discriminatory impact with the use of big data. Washington white papers naturally followed; the Future of Privacy Forum partnered with the Anti-Defamation league to produce a report on using big data to fight discrimination and empower groups; Upturn wrote a report on the intersection of big data and civil rights; the President’s Council of Economic Advisors wrote about differential pricing; and the White House has promised a report on the implications for big data technologies for civil rights. Several groups convened on the topic, including an FTC workshop, which resulted in an eventual report around the use of big data for inclusion and exclusion.

WW – Poll Finds Dismal European Big Data Attitudes

A new study conducted for Vodafone’s Institute for Society and Communications found that of 8,000 respondents, “just under a third” felt there were significant advantages to the big data, while “barely more than a quarter” trusted companies to respect their privacy and their data. The findings were an “indictment of current European data protection practices.” [Fortune] See also: [No new ‘competition rulebook’ necessary for big data age, says EU commissioner] and also [The Imperative for Ethical Standards in Analytics]

Canada

CA – Privacy Commissioners Issue Joint Resolution on Information Sharing

Canada’s Information and Privacy Commissioners issue a joint resolution to all levels of government relating to information sharing initiatives. All levels of government are urged to be open and transparent about the implementation of information sharing initiatives including what information will be collected, shared and disclosed; processes should be in place for individuals to request and correct their personal information, for staff to have regular and on-going training on relevant policies and procedures and for use of privacy impact assessments before implementation of these initiatives. [OPC Canada – Protecting and Promoting Canadians Privacy and Access Rights in Information Sharing Initiatives] [Press Release] [Resolution] [priv.gc.ca] [Parliament Should be Wary of Warrantless Access – Privacy Commission – Toronto Star]

CA – Canada’s Spy Agencies Broke Surveillance Laws, Watchdogs Reveal

A new report reveals that the Communications Security Establishment (CSE) has unlawfully shared data with foreign allies, while a report on the CSIS made public on the same day said CSIS has been neglecting to tell judges who authorize surveillance operations they are retaining elements of communications intercepts they are ordered to destroy. The reports from the watchdogs for CSE and CSIS centred on “metadata,” or the intercepted telecommunications trails reflected in phone logs and Internet protocol (IP) exchanges. Collecting and sharing such material can vastly expand intelligence-gathering operations. The legal issues this raises have been quietly debated over the past 15 years within Canada’s intelligence bureaucracy, but not in open courts or Parliament. [Globe&Mail] See also: [Watchdogs report lapses in CSIS, CSE intelligence practices] [CSIS Repeatedly Accessed CRA Taxpayer Info Without a Warrant] and [Think the Liberals will rein in the spy services? Don’t bet money on it] [Yahoo News: CSE Shut Down Data-Sharing, Post-Breach] [Canada’s Electronic Spy Agency Broke Privacy Law by Sharing Info: Watchdog]

CA – BC Privacy Breach a Failure of ‘Executive Leadership’

B.C. Information and Privacy Commissioner Elizabeth Denham said the Ministry of Education underestimated the potential fallout from misplacing a hard drive containing information about some 3.4 million school students. This week, Denham issued a report on the data breach finding that several B.C. education department workers contravened a series of security policy directives and protocols by transferring information from the ministry server onto mobile hard drives, one of which was then lost. Yukon Information and Privacy Commissioner McLeod-McKay, reacting to the B.C. report, said it’s clear that having good policies and procedures in place isn’t enough, there must also be good training and auditing of whether or not the policies are effective. [Source] [Yukon Privacy Commissioner in the Dark About Territory’s Response to Data Breach]

CA – Police Inspection of Laptop Infringed Charter: Ontario Court

Tyler Mayo filed a motion to suppress evidence alleging a violation of his Charter of Rights and Freedoms during a search and seizure. The search of a suspicious laptop (potentially containing child pornography) infringed the Charter when the police opened one of the computer files with a suspicious name, viewed its contents and attempted to open a second file (the police should have allowed the computer technician to return to the directory where the suspicious file names could be in plain view); the infringement was modest (the police conducted only a limited search of the computer relinquished to a computer store, and a warrant for a further search was obtained). [R v Mayo – 2016 INSC 125 – Can LII]

CA – Police Search of Computer Overly Broad: Alberta Court

The Court of the Queen’s Bench in Alberta considers whether search warrants complied with section 487 of the Criminal Code and section 8 of the Canadian Charter of Rights and Freedoms. Police failed to apply a date filter to the contents of the computer and storage devices being searched; exporting a decade of personal information (e.g. emails sent and received, photos, videos, complete internet browsing history and Skype exchanges) accumulated and deleted from the devices was not justified since a mirror image of the website (that the search warrant pertained to) was already secured and a number of videos on the website were already accessed. [HMQ v Mark Marek – 2016 ABQB 18 – Court of Queens Bench of Alberta]

CA – Another New Privacy Tort for Ontario

Last week saw a striking decision issued by the Ontario Superior Court of Justice. 2102 saw the tort of “intrusion upon seclusion” recognized; in 2016, we now have the tort of “public disclosure of private facts”. Unlike the 2012 decision, this one came with a large damage award. Conduct characterized as “revenge porn” clearly fits within the elements of this tort. Mr. Justice Stinson, having found that not one but two torts had been committed, could have stopped there. However, in concluding as he did, he recognized a new cause of action in Ontario: “public disclosure of private facts”. Mr. Justice Stinson modified the test articulated by Prosser, reflecting modern communication technology, to say “…if the matter publicized or the act of publication…” [Source] See also: [Experts praise court decision against man for posting explicit video of ex-girlfriend]

CA – Privacy Commissioner Launches Online Privacy Tool for Families

To mark international data privacy day, the Office of the Privacy Commissioner of Canada has launched “House Rules“—a new interactive tool for families aimed at helping parents manage the online risks facing their children. Parents are invited to use the tool to assess how their children interact online through games, mobile applications and social networking sites as a means of starting a dialogue on safe and responsible surfing. The tool offers simple tips parents and children can customize into their very own “House Rules” that can be printed off and posted in a common area as a reminder of how to protect privacy online. The Office of the Privacy Commissioner of Canada is also unveiling a new tip sheet for individuals to help all Canadians become more familiar with the basics of privacy protection. [Source]

Consumer

US – Americans Express “Loss of Control” Over Their Data: Study

A study on American privacy perspectives found that 91% of Americans feel as though they’ve “lost control” over their data, with 86% taking steps to protect their information online and 47% still unsure about the breadth of the data that’s being collected about them, the organization reports. “Americans express a consistent lack of confidence about the security of everyday communication channels and the organizations that control them — particularly when it comes to the use of online tools, and they exhibited a deep lack of faith in organizations of all kinds, public or private, in protecting the personal information they collect.” Attitudes about surveillance, however, are split, with 52% expressing high levels of concern about the practice, while 46% identified as “not very concerned.” [PEW Research]

US – More Americans Worried About Privacy than Income Loss: Report

A new report from the TRUSTe/National Cyber Security Alliance Consumer Privacy Index indicates more Americans are worried about their data privacy than losing their main source of income. The study indicates concerns over online privacy beat worries about income loss by 11%. The study also found that 56% of Americans say they “trust businesses with their personal information online,” the report states. “If you ask, ‘what does privacy mean for you?’ you’ll find that privacy is an individual thing, and it is different for every person.” [CBS News]

WW – Password List Illustrates User Annoyance and Tech Dead End

SplashData’s annual list of most common passwords found that, once again, “123456” is America’s most beloved digital key. However, this comical collection highlights both user frustration with password use and the technological sector’s current quest to replace it with something more sophisticated. Fingerprint authentication is one future avenue, but critics argue that the commonality of our fingerprints makes them easy to lift and nefariously employ. [The Washington Post]

WW – Study: Bitcoin Users Trust the Currency’s Promise of Privacy Too Much

A new bitcoin study conducted by Rutgers University found that bitcoin users overestimate its provision of anonymity. Bitcoin “transactions are recorded in a public ledger and are traceable with some effort.” “The users in the study trust the security and privacy mechanisms of Bitcoin more than they actually should.” The currency’s increased privacy, however, could give it an edge over physical money in the future. “What I personally like [about bitcoin use] is the anonymity,” said a study author. “You can’t track at all what I’m buying from the supermarket if I don’t use a loyalty card with my purchases when I pay in cash.” [Rutgers]

E-Government

CA – Supreme Court Gears to Battle Ottawa Over IT Rules

The country’s highest court is ready to launch a legal battle with the federal government over new IT rules, which the Supreme Court of Canada fears would threaten its independence. The Supreme Court is not alone in these concerns: the Federal Court, Federal Court of Appeal, Court Martial Appeal Court and Tax Court are all prepared to launch a constitutional challenge against having the government’s super-IT department involved in their digital affairs. The federal Liberals are now left to decide how to handle an issue created by a decision of the previous Conservative government that came into effect during the federal election. That decision forced the courts to go through Shared Services Canada for all IT purchases, such as servers, routers and software, rather than letting them make the procurements on their own. The courts had that power until Sept. 1, when the new rules kicked in and made them a “mandatory client” of Shared Services Canada, which oversees purchases and digital services for 43 of the heaviest IT users in the federal government. The move approved by the Conservative cabinet in May 2015 was supposed to save money, since Shared Services Canada buys in bulk, and improve digital security, because it buys from safe suppliers. [Toronto Star]

E-Mail

US – Yahoo Enters Into Settlement Agreement for Alleged Email Scanning and Extraction Practices

Yahoo accepts a settlement agreement for alleged e-mail scanning and extraction practices that violated the Stored Communications Act and California’s Invasion of Privacy Act. Yahoo must make technical changes so that all incoming and outgoing emails send to and from users in the US are analyzed for advertising purposes only after the user can access the email in their inbox or sent folder; modifications to its website include a paragraphs stating that all communications content is analyzed and stored, and that keywords, package tracking and product ID numbers are shared with third parties. [In Re Yahoo Mail Litigation – US District Court Northern District of California San Jose Division – Case No. 5-13-cv-04980-LHK] [Related News Article]

Electronic Records

US – Research Firms Team For Privacy Initiative

ESOMAR, an association for market research firms, announced on Data Privacy Day a new initiative by its members aimed at boosting “transparency and choice for online audience measurement research.” Headed up by comScore, GfK, Kantar, and Nielsen, the effort, dubbed Research Choices, will help consumers understand online data collection practices and facilitate access to different choice mechanisms across the Internet. Research firms interested in joining the effort must subscribe to the ESOMAR code of conduct, or equivalent ethical code. [IAPP Privacy Advisor]

US – Improper Employee Log-in Use Led to Californian Health Insurance Breach

21,000 Blue Shield of California members were affected by a breach catalyzed by “the misuse of Blue Shield customer service representatives’ log-in information.” While the company’s data systems were left unsullied, everything from Social Security numbers to addresses “could” have been exposed between September and December 2015, the company notified the affected. The company promised complimentary credit-tracking to victims. [FierceHealthPayer]

Encryption

US – California Bill Prohibits the Sale of Encrypted Smartphones

Assembly Bill 1681, amending existing state law and the Business and Professions Code to prohibit the sale of encrypted smartphones, is introduced. The bill requires that a smartphone manufactured on or after January 1, 2017, and sold or leased in California, must be capable of being decrypted and unlocked by its manufacturer or operating system provider; a $2,500 penalty will be imposed for non-compliance with the decryption requirement for each smartphone sold or leased. [Assembly Bill 1681 – An Act to add Section 22762 to the Business and Profession Code, Relating to Smartphones – California Assembly] See also: [BlackBerry says its encryption has not been “cracked” by police]

EU Developments

EU – Safe Harbor Deadline Passed: Agreement Reached

The deadline for the US and European Union negotiators to reach a new Safe Harbor data protection agreement satisfactory to both entities was January 31, 2016. The old arrangement was invalidated last fall after the EU Court of Justice found that it did not adequately protect the privacy of EU citizens. [The Hill] [ComputerWorld] [Ars Technica] The European Commission announced an agreement with the U.S. Department of Commerce to replace the invalidated Safe Harbor agreement on transatlantic data flows with a new EU-U.S. “Privacy Shield.” [Hogan Lovells: EU-U.S. Privacy Shield to Replace Safe Harbor]

WW – Law Firm Contends U.S., EU Privacy Protections Are Equal

According to Geoffrey Robertson QC, the October ECJ judgment that invalidated the “safe harbour” agreement was based on trusting news reports of revelations by Edward Snowden rather than a thorough investigation of US law. He added that the US had become more “privacy friendly” than Europe. He made the comments in an independent opinion commissioned by Facebook, which has been affected by the ECJ ruling. The social network is lobbying against the decision alongside other big technology groups. The barrister, who has represented WikiLeaks and media companies in free-speech cases, said: “It is intellectually dishonest at present to say we have any kind of protection in Europe against national security surveillance.” [FT.com] The Sidley report represents one of the most comprehensive rebuttals to suggestions that the European Court of Justice’s ruling in October on privacy opened an irreparable rupture for U.S. and EU commerce. The decision tossed out the widely used business data-transfer agreement on the grounds that Europeans’ privacy might not be adequately protected against U.S. national security surveillance. The Sidley Austin authors, based in the U.S. and EU, said that while the ECJ did invalidate the agreement, it did so because a test had not been done to establish equivalent privacy protections in the U.S., leaving the door open to a new agreement that is based on such a finding of equal privacy. [Source] [Take-up of cloud storage in Europe affected by privacy issues]

EU – Study Hints at How E-Privacy Directive Might be Reformed

The Commission wants to update the EU’s Privacy and Electronic Communications (e-Privacy) Directive and the recommendations made to it last summer suggest that wide-ranging changes are likely, including to rules on the use of cookies, direct digital marketing and on the processing of location data.

Telecoms bodies have called for the repeal of the e-Privacy regime, but the study suggests it will be expanded and will have an impact on many more businesses that communicate via digital channels than is currently the case. The Commission, which first outlined its intention to reform the e-Privacy Directive in 2014, has promised to consider the findings of the study. Proposals for reforms are scheduled to be instigated this year, with a consultation on the reforms likely to be opened in March, according to recent reports. [Out-Law]

EU – Independence of Data Protection Commissioner Questioned

The Irish High Court is being asked to make a referral to the EU’s highest court for a ruling on whether Ireland’s Data Protection Commissioner is truly independent under EU law. Legal papers served on the State and the Attorney General claim the State has acted in breach of EU law by failing to ensure the regulator exercises its role independently. The action is being taken by the privacy advocacy group Digital Rights Ireland (DRI), which took a successful case to the Court of Justice of the European Union in 2014 overturning the entire regime under which the telephone and internet data of over 500 million European citizens were retained for up to two years. The papers note that the office of the commissioner, Helen Dixon, is integrated with the Department of Justice and that the commissioner and all her office’s employees are civil servants. They also allege the commissioner has failed to act independently in policing databases of citizens created in recent years by both Irish Water and the Department of Education. The commissioner’s office is considered one of the most important regulatory roles in Europe because of the high number of multinational, data-rich firms based in Ireland, including Facebook, Apple and LinkedIn. It has come under repeated criticism from some EU sources for being “soft” on regulation, partly because of the number of jobs such firms support here. That allegation has been denied by the current commissioner and by her immediate predecessor Billy Hawkes. [Source]

Facts & Stats

US – Breach Costs Often Come Long After Incident Detection: Survey

According to a new study, the costs of data breaches go “far beyond the initial incident response and customer notification costs.” The SANS Institute survey found that “about one third of organizations are able to remediate breaches within a week of detection, and the greatest financial impact from breaches extended months and even years beyond the event for the majority of organizations.” The survey looked at how nearly 60 organizations coped with breaches and found more than 40% said the greatest impact from the breach was felt one to 12 months after the incident. Some of that was because of unforeseen required actions necessary for forensics or data recovery. [Dark Reading]

US – OTA Releases 2016 Data Protection & Breach Readiness Guide

91% of breaches are avoidable. The best defense is implementing a broad set of operational and technical best practices that helps protect your company and your customers’ personal data. The second step is to be prepared with a data lifecycle plan that allows a company to respond with immediacy. Ultimately, industry needs to understand that effectively handling a breach is a shared responsibility of every functional group within the organization. A key to success is moving from a compliance perspective to one of stewardship. This perspective recognizes the long term impact to a brand, the importance of consumer trust and implications and considerations with vendors and business partners. The OTA Guide Guide includes risk assessment guide for service providers, check lists for cyber insurance, security best practices, incident reporting forms and remediation service check lists and more. [OTA Alliance] [Cyber Attackers Focusing on Targets With Most Valuable Data] [https://otalliance.org/Breach]

Finance

WW – Insurers Will Look for Evidence of Appropriate Cyber Defenses for Cyber Insurance Policies in 2016

Insurers who provide cyber insurance are not convinced enterprises are doing enough to protect their digital assets. A recent study from CSO outlines some major changes coming to cyber security insurance in 2016: Cyber insurance will move toward a “must have” and “evidence based” model with new minimum level requirements in place for policies. This is expected to disrupt the cyber security industry and place new challenges on IT workers. However, it is good news for customers because it drives improvements to companies’ ability to handle threats and protect customer information. (RSA)

WW – Survey: Half of IT Pros Don’t Know Where Their Payment Data is Stored

A recent study indicates a “critical need” for organizations to improve their payment data security practices. A study by Gemalto of more than 3,700 IT professionals found 54% said their companies had experienced a data breach involving payment data “an average of four times in the past two years,” and 55% said they don’t know where their payment data is stored. Meanwhile, researchers say they’ve found four vulnerabilities in Lenovo ShareIT, which they say could mean data leaks. [InformationAge]

CA – Disclosure of PI for Purposes of Debt Collection: How Far Can You Go?

The applicable federal private sector legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), allows the disclosure of personal information about an individual without their consent for the purpose of collecting a debt owed by the individual. However, based on the position reportedly taken by the Privacy Commissioner in this case, publicly posting private financial information of identifiable individuals does not fit within the ambit of the exception and the exception does not give a blanket permission to indiscriminately disclose a debtor’s personal information. [Lexology]

FOI

CA – Info Commissioners Call on Governments to Create a Duty to Document

Canada’s Information Commissioners have called on their respective governments to create a legislated duty requiring public entities to document matters related to their deliberations, actions and decisions.

In a joint resolution, information commissioners expressed concerns about the trend towards no records responses to access to information requests. This lack of records weakens Canadians’ right of access and the accountability framework that is the basis of Canada’s access to information laws. Without adequate records, public entities also compromise their ability to make evidence based decisions, fulfill legal obligations, and preserve the historical record. Canada’s information commissioners have urged governments to create a positive duty for public servants and officials to create full and accurate records of their business activities. This duty must be accompanied by effective oversight and enforcement that ensures Canadians’ right of access to public records remains meaningful and effective. [Source]

CA – BC OIPC Rejects Third Party’s Assertion that Contract Information is Supplied and Subject to Exemption from Disclosure

This OIPC order reviews the Ministry of International Trade and Ministry Responsible for Asia Pacific Strategy and Multiculturalism’s decision not to withhold records requested under B.C.’s Freedom of Information and Protection of Privacy Act. The information does not meet the second part of a 3-part test because it is not supplied to a government ministry, but negotiated; the disputed information contains the sort of detail about contractual arrangements that would have been susceptible to change through negotiation, and it is clear that an agreement was reached between the parties to amend certain obligations of an existing contract. [OIPC BC – Order FEW-71 – Ministry of International Trade and Ministry Responsible for Asia Pacific Strategy and Multiculturalism]

CA – The Northwest Territories’ Health-Specific Privacy Legislation In Effect

The Northwest Territories have enacted the Health Information Act, SNWT 2014, c 2 (HIA) which took effect on October 1, 2015. The HIA sets out rules for the collection, use and disclosure of personal health information; the Act is designed to protect health information and facilitate the provision of health services. Much like the health privacy statutes of other provinces, the HIA recognizes the sensitive nature of personal health information, which is frequently shared in the provision of health care and the management of our publicly funded health care system. Other Canadian provinces and territories have similar legislation, including Alberta, Saskatchewan, Manitoba, Ontario, Newfoundland and Labrador, New Brunswick, Nova Scotia, British Columbia and Quebec. Similar laws have also been passed in Prince Edward Island (Bill 42 – Health Information Act) and Yukon (Bill 61 – Health Information Privacy and Management Act), but have yet to be enacted into force. [Lexology]

Health / Medical

US – Academy of Family Physicians Clarifies HIPAA Disclosure Amendments

The American Academy of Family Physicians clarifies the amendments to the HIPAA Privacy Rule. Covered entities can disclose the minimum necessary identifying information about individuals who have been involuntarily committed to a mental health institution, lack the mental capacity to manage their own affairs, or have been determined to be a danger to themselves or others; the Rule is not applicable to most health care professionals and diagnostic or clinical information may not be disclosed. [Modified HIPAA Rule Allows Limited Reporting of Patient Information – American Academy of Family Physicians]

US – Health Care Entities Unite for Privacy’s Sake

In an effort to curb cyberattacks, privacy gaffes and HIPAA breaches, the Electronic Healthcare Network Accreditation Commission and the National Health Information Sharing and Analysis Center have become allies, with plans to initiate blended teams to analyze threats, present research, and plan education events. “We are our own worst enemy, and if we don’t come together and share information, the bad guys are sharing information, and shame on us,” said NH-ISAC President. “The collaboration is significant, because there’s growing need for healthcare organizations to share threat level data,” the report adds. “This information has been ineffectively shared in the past because of competitive pressures and the disjointed nature of the industry.” [HealthData Management]

US – HIPAA Modified in Light of President Obama’s Executive Order

The U.S. Department of Health and Human Services’ Office of Civil Rights updated HIPAA in accordance with President Obama’s executive order regarding firearms. Entities under the HIPAA umbrella will be able to provide the National Instant Criminal Background Check System with the identities of individuals with a “mental health prohibitor” that would prevent them from “transporting, possessing or receiving a firearm,” starting Feb. 5 of this year. The revision “does not apply to most health care providers, allows only limited demographic and certain other information needed for the purposes of reporting to the background check system, and specifically prohibits the disclosure of diagnostic or clinical information from medical records or other sources.” [National Law Review]

US – FDA Issues Medical Device Cybersecurity Draft Guidance

The US Food and Drug Administration (FDA) has issued draft guidance, “Postmarket Management of Cybersecurity in Medical Devices,” for device manufacturers. In October 2014, the FDA issued guidance for medical device manufacturers regarding building cybersecurity into their product from the beginning of the development process. [News-Medical] [GovInfoSecurity] [January 2016 Draft Guidance] [October 2014 Guidance]

Horror Stories

US – LinkedIn’s Individual Payment in Data Loss Settlement Sets It Apart

Class counsel has dubbed the $13 million, $16-per-victim LinkedIn class-action settlement “particularly impressive” in comparison to the outcome of other cyber privacy suits due to the individual-by-individual payoff. More than 550,000 LinkedIn netizens reported that they were victims of the company’s misuse of contact information after it sent invitational emails to user connections. In addition to user payment, the settlement requires LinkedIn to improve and clarify its disclosure policy in regards to its “Add Connections” feature, among others. The arrangement is still awaiting final approval by California’s U.S. District Court Judge Lucy Koh. [Media Post]

Identity Issues

FTC: Tax Fraud Behind 47% Spike in ID Theft

In kicking off “Tax Identity Theft Awareness Week,” FTC released new stats showing that the agency received more than 490,000 identity theft complaints last year, a 47% increase over 2014. In a conference call with the news media, FTC Chairwoman Edith Ramirez called tax refund fraud “the largest and fastest growing ID theft category” that the commission tracks. [Source]

US – FTC Announces Significant Enhancements to IdentityTheft.gov

For the first time, identity theft victims can now go online and get a free, personalized identity theft recovery plan as a result of significant enhancements to the FTC’s IdentityTheft.gov website. The new one-stop website is integrated with the FTC’s consumer complaint system, allowing consumers who are victims of identity theft to rapidly file a complaint with the FTC and then get a personalized guide to recovery that helps streamline many of the steps involved. [FTC Press Release]

Intellectual Property

WW – Netflix Cracking Down On Proxy Users

Netflix says it’s going to crack down on customers using VPN software to access content that isn’t available or licensed in their country of origin. “Some members use proxies or ‘unblockers’ to access titles available outside their territory,” the company said in a statement. “In coming weeks, those members using proxies and unblockers will only be able to access the service in the country where they currently are.” The move is aimed at appeasing content producers’ licensing agreements with Netflix. [TechCrunch]

Internet / WWW

WW – Winners of FPF Best Privacy Papers Announced

The Future of Privacy Forum announced its choices for the best privacy research papers of 2015 at the Sixth Annual Privacy Papers for Policymakers. The winners were Florian Schaub, Rebecca Balebako, Adam L. Durity, and Lorrie Faith Cranor, for “A Design Space for Effective Privacy Notices“; Ira S. Rubinstein and Woodrow Hartzog’s “Anonymization and Risk“; Arvind Narayanan, Joanna Huey, and Edward W. Felten’s “A Precautionary Approach to Big Data Privacy“; Ryan Calo’s “Privacy and Markets: A Love Story,” and Neil Richards and Woodrow Hartzog’s “Taking Trust Seriously in Privacy Law.” Honorable mention went to Peter Swire for “Going Dark: Encryption, Technology, and the Balance Between Public Safety and Privacy“ and Joel R. Reidenberg’s “The Transparent Citizen.” A summary of each of the winning papers can be found here. [FPF]

Law Enforcement

US – CDT Sides with ACLU on Unconstitutionality of Sex Offender Regulations

A Center for Democracy & Technology amicus brief for the Sixth Circuit’s Doe v. Snyder case supports the ACLU of Michigan’s assertion that the online registration regulations for former sex offenders are indeed a constitutional breach, the organization said in statement. “The district court wrongly concluded that the identifiers requirement does not infringe registrants’ constitutionally protected right to engage in unidentified expression, because the law does not unmask their anonymity to the public. But the right to speak without identifying oneself or one’s content to the government is critical — particularly for engaging in expression that may be controversial or highly personal,” the statement reads, adding that the regulation does not further state any plans for data protection. “We urge the Sixth Circuit to hold Michigan’s ‘Internet identifiers’ requirement to that standard and declare it unconstitutional on its face,” the report continues. [CDT.org]

Location

US – ALPR “Unprecedented Threat to Privacy”

Throughout the United States—outside private houses, apartment complexes, shopping centers, and businesses with large employee parking lots—a private corporation, Vigilant Solutions, is taking photos of cars and trucks with its vast network of unobtrusive. A private company has captured 2.2 billion photos of license plates in cities throughout America. It stores them in a database, tagged with the location where they were taken. And it is selling that data. [The Atlantic]

WW – Industry Group Issues Safeguards to Mitigate Privacy Risks Associated with Location Tracking

The International Working Group on Data Protection in Telecommunications issued a working paper on location tracking in mobile devices. Privacy risks of location tracking of mobile devices includes covert collection of device specific identifiers, and the combination of tracking data with other online/offline information; recommendations include conducting a PIA, notifying individuals, limiting the bounds of data collection, anonymising data without delay, appropriate retention of individual level data, consent for combination with other information and for sharing of individually identifiable data with third parties, and implementing a simple and effective means to control collection. [Working Paper on Location Tracking from Communications of Mobile Devices]

Online Privacy

WW – Skype Now Hides Your Internet Address

Ne’er-do-wells have long abused a feature in Skype to glean the Internet address of other users. Indeed, many shady online services that can be hired to launch attacks aimed at knocking users offline bundle so-called “Skype resolvers” that let customers find a target’s last known location online. At long last, Microsoft says its latest version of Skype will hide user Internet addresses by default. [Krebs]

Privacy (US)

EU – Schrems Responds to US Lobby Groups on Safe Harbor

In a brief but clearly argued letter to European data protection authorities, Max Schrems writes that “attempts by lobby groups and the US government to ‘reinterpret’ or ‘overturn the clear judgement of the Union’s highest court are fundamentally flawed.” Schrems brought the successful case to theEuropean Court of Justice that struck down the Safe Harbor arrangement. The Schrems letter, released on International Data Protection Day, also states that a new transfer agreement must provide “protection against government surveillance and “essentially equivalent” protection against the commercial use of data by certified companies.” Max Schrems received the 2013 EPIC Champion of Freedom Award.

US – Law Firm Argues US, EU Privacy Laws ‘Essentially Equivalent’

A recent report from a US law firm concludes that the US offers essentially equivalent privacy protection to Europe. The report also finds that “This body of laws ensures that government access to data for law-enforcement and intelligence purposes is limited to what is necessary and proportionate.” However, all travel records of Europeans are routinely transferred to the US Department of Homeland Security without any legal protection, and under Section 702 of the Patriot Act, the US government routinely obtains vast amounts of personal data on non-US persons, including communications logs and website activity. Executive Order 12333 provides even broader surveillance authorities. [Sidley Austin LLP: “Essentially Equivalent” (Jan. 2016)]

US – FTC Issues Privacy Update Report

The FTC announced the publication of its Privacy & Data Security Update 2015. The report aims to highlight the agency’s commitment to ensuring consumers are able to reap “the benefits of innovation in the marketplace, confident that their personal information — online and offline — is being handled responsibly,” citing a host of its 2015 initiatives, from the PrivacyCon event to its IdentiyTheft.gov, as evidence of meeting that goal. “Each of our projects in the privacy and data security arena has been informed by a central message: Even in the face of rapidly changing business models and technologies, companies still need to follow fundamental privacy principles.” [FTC]

US – Wyoming Legislature to Consider ‘Right to Privacy’

The Wyoming State Legislature will debate whether Wisconsin voters will vote on the addition of privacy as a citizen’s right in the state’s constitution. This will be the second attempt by privacy advocates to get the legislature to consider such an addition, after it was thrown out last year for imprecise language and confusing implications. This measure specifies that it “wouldn’t deprive people of the right to inspect public records or observe government operations” and has the support of the chief information officer for the State of Wyoming. According to the National Conference of State Legislatures, 10 other state constitutions already recognize citizens’ right to privacy. They are: Alaska, Arizona, California, Florida, Hawaii, Illinois, Louisiana, Montana, South Carolina and Washington. [ABC News]

US – ACLU Leads Privacy Charge In 16 States

Frustrated with the lack of federal leadership on privacy issues, the ACLU has orchestrated a rollout of state-level legislation that would work to make privacy regulations more sophisticated across 16 states. The ACLU has found allies in exasperated legislators as well. Regarding privacy issues, “our federal gov­ernment didn’t take the lead and should have taken the lead,” said Rep. Peter Lucido, R-Mich., adding, “But now it left us all to go ahead and fend for ourselves at the state level.” The bills cover everything from law enforcement surveillance to student and employee privacy rights. “This movement is about seiz­ing control over our lives,” said the ACLU’s Anthony Romero. “Everyone should be empowered to de­cide who has access to their personal information.” [The National Journal]

US – New York Bill Requires Mobile Devices to Have an Enabled Solution to Render the Device Permanently Inoperable

Senate Bill S.51, the Smartphone and Tablet Security Act, was introduced in the New York State Senate and referred to the Consumer Protection Committee. Owners of devices sold after January 1, 2016 must be able to disable voice communications, connections to the internet, and access and use of mobile software applications when the device is no longer in their possession; these features can be disabled by consumers after purchase (but not by retail sellers). [S.51 – The Smartphone and Tablet Security Act – New York Senate]

US – EPIC Gives 2016 Freedom Award to Viviane Reding

EPIC has presented the 2016 International Champion of Freedom Award to former EU Justice Minister Viviane Reding. Ms. Reding led the effort in the European Common for adoption of the new European privacy law, the General Data Protection Regulation. The EPIC award was presented January 27, 2016, at the annual Computers, Privacy & Data Protection conference in Brussels. [EPIC]

US – How Facebook Tracks and Profits from Voters in a $10bn US Election

The Cruz campaign is using Facebook to target voters on a range of broad issues like immigration controls to niche specific causes such as abolishing state laws against the sale of fireworks. Facebook told investors it was “excited about the targeting”, and does not let candidates track individual users. But it does now allow presidential campaigns to upload their massive email lists and voter files – which contain political habits, real names, home addresses and phone numbers – to the company’s advertising network. The company will then match real-life voters with their Facebook accounts, which follow individuals as they move across congressional districts and are filled with insightful data. The data is encrypted and not maintained by Facebook after ads run, the company said. Acxiom, a massive data broker based in Little Rock, Arkansas, helps campaigns upload the voter info. But a campaign operative said the Texas senator has been using Facebook ads to raise money, among other things, and a Guardian analysis shows Cruz-affiliated donors are spending $10,000 per day on Facebook “placement” as the first vote nears. [The Guardian]

Privacy Enhancing Technologies (PETs)

UK – Government Rolls Out Massive Blockchain Report

In a major 88 page tome on Blockchain and distributed ledgers, the UK Government’s Chief Scientist sets out how this technology could transform the delivery of public services and boost productivity. The UK report states that Blockchain technology could provide government with new tools to reduce fraud, error and the cost of paper intensive processes and it also has the potential to provide new ways of assuring ownership and provenance for goods and intellectual property. The report also includes a lengthy look at Estonia who is already moving quickly to adopt distributed ledgers — and the case study of Estonia shows how quickly a small country with an effective digitally-aware leadership can progress and considers the features of advancing digital nations. [Source] See also: [Privacy on the Blockchain: Exploring the Blockchain technology and its privacy potential]

Security

WW – Study: Cybersecurity Fears Top Terrorism, Climate Worries

The World Economic Forum’s annual Global Risks Report named cybersecurity among its gravest industry threats, ranking higher than terrorism and climate change. This is the third time in a row that the issue has made the study. “As the Internet of Things leads to more connections between people and machines, cyber dependency — considered by survey respondents as the third most important global trend — will increase, raising the odds of a cyberattack with potential cascading effects across the cyber ecosystem.” [SC Magazine]

CA – Regulator Issues Vendor Risk Assessment and Cyberincident Checklist

The Investment Regulatory Organization of Canada (“IIROC”) has issued a guide for vendor risk management for small and mid-sized Dealer Members. Assessing vendor risk requires a detailed response from vendors regarding their consideration of issues such as vendor controls, security architecture, information system configuration, access controls, security monitoring, physical security, contingency planning, and their business associates. [Vendor Risk Management – Investment Industry Regulatory Organization of Canada] Organizations should undertake activities before an incident (e.g. create a prioritized list of information assets critical to the functioning of the organization), during an incident (e.g. convene one teleconference to discuss what is required to restore operations), and after an incident (e.g. discuss any changes in process or technology needed to mitigate future incidents [Cybersecurity Best Practices Guide – Investment Industry Regulatory Organization of Canada]

WW – Software Bugs Rampant in Home Wi-Fi Routers

There has been a proliferation of software bugs in basic home Wi-Fi routers and the subsequent difficulty in getting security patches out to users. In one example, a bug that was fixed by Allegro Software Development nearly 10 years ago was still found to exist in more than 10 million devices. It turns out that a router manufacturer had been including the pre-2002 version of Allegro’s software on new routers. “The router flaw highlights an enduring problem in computer security: Fixing bugs once they have been released into the world is sometimes difficult and often overlooked,” the report states. [Wall Street Journal]

Smart Cars

US – Auto Industry, DoT Agree on Cybersecurity Best Practices

The U.S. Department of Transportation and 17 automakers have reached an agreement designed to improve safety and increase the sharing of cyber-threat information. With regard to cybersecurity, the automakers — including General Motors, Ford, and Toyota — also agreed to suggest best practices, share lessons learned, and work with the info-sharing and analysis center created by the auto industry last year. The group released a list of “proactive safety principles” that aim to help the industry improve cybersecurity. The list includes plans to create an automotive industry Information Sharing and Analysis Center (ISAC). Automobile supply companies will be urged to join as well. The car makers also want to work with bug hunters. [ComputerWorld] [Wired] [Proactive Safety Principles 2016] Last year, security specialists successfully hacked into and took control over a connected car, prompting a first-of-its-kind recall by Fiat-Chrysler. [Bloomberg]

CA – OIPC AB Issues PIA Guidelines for Auto Insurers Offering Usage-Based Insurance Programs

The Alberta Office of the Information and Privacy Commissioner issued privacy impact assessment guidelines for insurers implementing usage-based insurance programs. When submitting a PIA for review, details should be provided about the organization’s management structure, policy management, training, incident response, and access and correction requests; an analysis of program-specific privacy topics should be completed (such as information flow, notifications, consent, contracts, agreements and use of PI outside Canada) and include a description of access controls, mitigation plans and monitoring procedures. [OIPC AB – Privacy Impact Assessment Guidelines for Insurers]

EU – European Commission Issues Recommendations for Data Protection and Privacy in Intelligent Transport Systems

The European Commission Cooperative Intelligence Transport Systems (“CITS”) Platform Working Group issued its final report relating to privacy and data protection in the context of CITS. Messages sent between vehicles and the IT infrastructure raises potential concerns because of the potential indirect identification of users; a list of clearly identified applications where consent is necessary should be accessible to drivers and all situations where secondary use or re-purposing of data may take place should be identified. [European Commission – C-ITS Platform Final Report]

EU – Security and Privacy Challenges in Developing an EU Legal Framework for Automated Vehicles

The European Parliamentary Research Service issued a report on data protection and cyber security in automated vehicles. Connected cars can generate, store and transmit users’ personal data (route to work, time of driving, appointments, etc.) that have significant potential for other uses; the connection between the in-vehicle system and the vehicle manufacturer’s central server has to be secure to prevent unauthorised disclosure and manipulation. [European Parliamentary Research Service – Automated Vehicles in the EU]

Surveillance

US – NSA Civil Liberties and Privacy Office Issues Results of Assessment of its Metadata Collection

The Civil Liberties and Privacy Office at the NSA issues a report on a privacy impact assessment examining implementation of changes effected by the USA FREEDOM Act. Collection of call record details satisfies the transparency principle through release of detailed implementation information and mandatory reporting requirements (i.e. number of targets, unique identifiers used and search terms); the principle of data minimization is satisfied because only telephone metadata can be collected, records that do contain foreign intelligence information must be promptly destroyed and data can only be retained for a maximum of 5 years. [NSA Civil Liberties and Privacy Office – Transparency Report – the USA FREEDOM Act Business Records FISA Implementation]

US – California Police Department Uses Stingrays from Planes

According to documents obtained by the ACLU, the police department in Anaheim, California, has used surveillance technology that has been referred to as “stingray on steroids.” Known as Dirtboxes, the powerful cell-site simulators are mounted on airplanes to collect data on thousands of phones at once — listening to conversations, reading emails and text messages — beginning in 2009. A California state law that came into effect on January 1, 2016 requires law enforcement agents to obtain a warrant before using a cell-site simulator. [Ars Technica] [Wired] [Document Cloud] [BuzzFeed] SEE ALSO: [Hailstorm surveillance tool in privacy advocates’ crosshairs]

US – Commonwealth Court Rules Pro-Police In Phone Rummaging Case

Massachusetts Supreme Judicial Court ruled in favor of police officers who obtained a warrant to search a suspect’s iPhone and checked both his texts and photographs. The defendant argued that police only had probable cause to inspect his texts. “Communications can come in many forms including photographic,” the majority opinion countered. “So long as such evidence may reasonably be found in the file containing the defendant’s photographs, that file may be searched.” Critics are calling for new regulations to protect mobile privacy. “We need very clear standards for police officers who are issuing warrant applications,” said the ACLU Massachusetts. [Ars Technica]

US – Report Says the Threat of “Going Dark” is Overstated

A report from Harvard’s Berkman Center for Internet & Society, titled, “Don’t Panic: Making Progress on the ‘Going Dark’ Debate,” says that US law enforcement’s concerns about encryption allowing terrorists to “go dark” overstate the problem. The report said that while encryption may hinder some surveillance activity, the increasing spread of Internet connected devices can “likely fill some of these gaps and … ensure that the government will obtain new opportunities to” conduct surveillance. [The Hill] [ComputerWorld] [ZDNet] [CNET] [New York Times] and also: [Hillary Clinton Hints At Apple, Facebook Compromise Over Encryption]

US – NYC Dept of Consumer Affairs Investigating Baby Monitor Security

The New York City Department of Consumer Affairs is investigating baby monitors that are vulnerable to attacks. The agency has sent subpoenas to four as-yet unnamed companies asking for information about the way they address the security of their products. It has also posted an alert for consumers that includes advice on how to protect their monitors. [NBC News] [Wired] [NYC.gov] [NYC launches investigation into hackability of baby monitors ]

Telecom / TV

CA – Cell Phone Evidence Should Not Be Excluded: Ontario Court

The Ontario Superior Court of Justice considers an application by an arrestee to exclude from evidence at trial his cell phone and cell phone number, pursuant to the Canadian Charter of Rights and Freedoms. Defendant has only a low privacy interest in the cell phone and the number (e.g. it is less personal than health records and the call log was acquired only after obtaining judicial authorization); Defendant himself made reference to his cell phone after he had been given the opportunity to consult with his counsel, and the cell phone number could have been extracted from the cell phone itself (which was already in police possession). [Her Majesty the Queen v. Andre Palmer – 2016 ONSC 153 – Ontario Superior Court of Justice]

CA – Ontario Court: Production Order for Cell Tower Information is Unreasonable Search and Seizure

The Ontario Superior Court of Justice issued a decision on the application by Rogers Communications and Telus Communications to revoke a production order pursuant to section 487.012(5) of the Criminal Code. The required disclosure of personal information was beyond what was reasonably necessary to gather evidence, such as bank and credit card information, information of any subscriber near to the scene, and the location of the other party to the call (who could be far removed from the crime scene); production orders should include an explanation of why the requested information is relevant, details to conduct a narrower search and request a report based on the data (not the data itself). [Her Majesty the Queen v Rogers Communications Partnership and Telus Communications Company – Ontario Superior Court of Justice – Court File No CRIMJ P 299-14] See also: [Dragnet No More? Recent guidance on production orders] and also: [D. Fraser: Tower dump case raises troubling questions about law enforcement and privacy] and [Canadian Judge Offers Guidelines to Make Cellphone Surveillance Less Intrusive]

US – NY Bill Requires Smartphones to be Decrypted or Unlocked by Manufacturers or System Providers

Assembly Bill A8093, relating to the Manufacturing and Sale of Smartphones That are Capable of Being Decrypted and Unlocked by the Manufacturer was introduced in the General Assembly. An Assembly Bill, if passed, would require that any smartphone that is manufactured on or after January 1st, 2016, and sold or leased in New York, be capable of being decrypted and unlocked by its manufacturer or its operating system provider; the seller or lessor of any smartphone that is not capable of being decrypted and unlocked will be subject to a civil penalty of $2500 for each smartphone sold or leased (a civil suit may be brought by the attorney general or the district attorney). [AB A8093 – An Act to Amend the General Business Law in Relation to the Manufacturing and Sale of Smartphones That are Capable of Being Decrypted and Unlocked by the Manufacturer]

US Government Programs

US – New US Government Agency Will Handle Background Checks

The White House has announced that a new agency will assume the job of conducting background checks on contractors and government employees. The Office of Personnel Management’s (OPM) Federal Investigative Services (FIS) will become part of the National Background Investigations Bureau (NBIB). “The Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB.” [FCW] [Whitehouse.gov] [NextGov] [The Hill] [v3.co.uk]

WW – FIDO Issues Privacy White Paper

The FIDO Alliance has issued a new Privacy White Paper to mark Data Privacy Day explaining how FIDO’s protocols and specifications help to protect user privacy; as the consortium put it in a synopsis, “there is no privacy with security.” FIDO points to recent research on data breaches indicating that 95% of web app hacks rely on stealing customer credentials from mobile devices—and of course those credentials are virtually all passwords. FIDO’s goal is to replace archaic password-based security systems with more advanced frameworks incorporating measures like risk-based authentication and two-factor authentication. Security systems that adhere to FIDO protocols don’t involve third parties, keep biometric data on the user’s device, require user consent for the release of data, and incorporate many other principles designed to ensure that user data is protected behind advanced authentication apparatuses. [MobileIDWorld]

US Legislation

US – Senate Marks Data Privacy Day With Passage of Critical Bill for Safe Harbor

The US Senate celebrated Data Privacy Day by passing a critical piece of legislation that will extend US privacy rights to Europeans. The Judicial Redress Act passed the Senate’s Judiciary Committee this week, putting it in front of the full Senate and making it a virtual certainty to become law. The Act will extend the same privacy rights that US citizens enjoy to European citizens, and will provide European citizens with the right to proper judicial redress over how their data is handled by American corporations and the US government. Europeans will be able to access records about themselves collected by the US government, and amend those records. It the records are disclosed unlawfully, they will be able to sue. [Source]

US – Sweeping Vermont Privacy Bill Passes State Senate

The legislation would restrict the use of drones by state and local law enforcement, generally prohibit police from obtaining electronic data (including emails, web browsing history, call and text message content, location information and files stored on third party servers such as the “cloud.” ) from service providers without a warrant or judicially issued subpoena, and would also provide some restrictions on sharing of data gathered by automatic license plate readers in the Vermont. The bill does not place limits on the use of ALPRs for “legitimate law enforcement purposes,” but it does require data to be destroyed after 18 months unless the law enforcement agency obtains a warrant, or if the plate data is relevant to the defense of a pending or reasonably anticipated charge or complaint. Under the proposed law, state and local law enforcement could share data with other agencies for a “legitimate law enforcement purpose,” but the receiving agency must adhere to the date retention limits under the state law. [Source] The bill passed with no recorded opposition. See also: [Missouri state Rep. Ken Wilson has proposed a bill to exempt police body camera footage from Freedom of Information Act requests when there is a reasonable expectation of privacy] and [Washington, DC, Council member David Grosso has introduced a bill to protect student privacy]

Workplace Privacy

CA – Court Finds Employee Incident Did Not Meet Threshold to Warrant Drug or Alcohol Testing

The International Brotherhood of Electrical Workers on behalf of George Degg file a grievance against Jacobs Industrial for violations of the Grievor’s privacy. The privacy interest of the employee should prevail over the company’s desire to positively rule out the possibility of drugs or alcohol as a factor in a vehicle accident given that minimal damage was caused (less than $5,000 in repairs) and the link between the employee’s situation and the incident (the employee had no record of safety violations, sign of impairment, injury from the accident or evidence of a potential for greater damage). [Jacobs Industrial v International Brotherhood of Electrical Workers – 2016 CanLII 198 – ON LA]

US – Study: Employee Data Not Encrypted to Level of Customer Data

A new Sophos global study of organizational security techniques found that employee data protection falls far below the organization’s treatment of customer data in mid-sized organizations, with nearly one-third of companies not routinely encrypting employee financial information and nearly 50% not doing the same for health care records. The results aren’t necessarily all bad. “Two years ago, the number of them not encrypting was in the 75% range. The fact that we’re going toward the 50-50 range is actually an awareness on their part that they don’t want to be [the organizations] in the press.” [DarkReading]

US – Census Bureau Decides Against BYOD

The US Census Bureau has decided not to allow employees to use their own Internet-connected devices while gathering information for the 2020 census. Instead, the bureau will procure devices that will run its Compass application, which runs on multiple operating systems. [FCW]

+++

 

09-15 January 2016

 

Biometrics

CA – Candid Facial-Recognition Cameras to Watch for Terrorists at Border

Canada’s border agency plans to compare images of people arriving in the country with photographs of suspects on watchlists to keep out alleged terrorists and other criminals. In his recently released annual report, privacy commissioner Daniel Therrien says his office provided advice on the potential pitfalls, including the possibility of “false positives” that could result in unnecessary secondary screening for travellers. The office also urged the border agency to assess the risks of using such technology, including issues that might arise during testing phases. [Source]

US – Court rules Shutterfly May Have Violated Privacy by Scanning Face Photos

A US federal judge has denied a motion to dismiss a civil case against photo-sharing site Shutterfly that claims the company violated users’ privacy by collecting and scanning face geometries from uploaded images without consent. The first of its kind ruling could open the door to future class-action lawsuits against Shutterfly and other social networks that use facial recognition technology without an opt-in policy. [Source] [Court Ruling on Shutterfly Face Scans Could Spell Trouble for Facebook]

Canada

CA – Ontario Court Provides Clear Guidance on Privacy and “Tower Dumps”

The Ontario Superior Court released an important decision in R. v. Rogers & Telus, 2016 ONSC 70 which provides police and prosecutors with clear guidance on when and how they can obtain telco customer information through “tower dumps”. Tower dumps are the production of all the records of a cell phone tower at a particular time. Since your mobile phone is always communicating with at least one tower, tower dumps can tell the police who is in the vicinity of a particular location at a particular time. They are really troubling or problematic because the records overwhelmingly contain information about people who have nothing to do with the underlying investigation. [David Fraser blog] See also: [Rogers, Telus Await Landmark Ruling on Cellphone Privacy] See also: [Police sweeps of cellphone records violate privacy rights, judge rules] [Ontario court rules police orders breached cellphone users’ Charter rights] and [Why Canada’s Telecom Regulator Is Suddenly Acting More Like the Cops]

CA – Thousands Flagged by Canada’s New Air Passenger Screening System

Canada’s new security system for scrutinizing people who arrive by airplane singled out more than 2,300 passengers for closer examination during a recent three-month period, the federal border agency says. The CBSA says the travellers – flagged for possible links to terrorism or serious crime – represented a tiny fraction of the millions who flew into the country. Still, privacy and civil liberties watchdogs want to know more about the border agency’s so-called scenario-based targeting system to ensure individual rights are not being trampled. The agency has implemented the targeting system, already used by the United States, as part of Canada’s commitment to co-operate with Washington under the 2011 continental security pact known as the Beyond the Border initiative. Privacy Commissioner Daniel Therrien is pressing the border agency to explain the program’s rationale and build in safeguards to protect individual liberties. Travellers may be targeted if they fit the general attributes of a group due to traits they cannot change such as age, gender, nationality, birthplace, or racial or ethnic origin, he warns. [Source]

CA – Canada’s Military Plans to Monitor the World’s Social Media

Canada’s military wants to monitor and analyze the world’s social media streams, with 24/7 access to real-time and historical posts on websites like Twitter, Facebook, and Instagram. And they don’t want anyone knowing it’s them doing the monitoring, either. The Department of National Defence and its research wing, Defence Research and Development Canada, are in the market for a new Internet monitoring platform that can analyze and filter the daily firehose of social media posts. The platform envisioned by the military will pull from the most popular social media sites — Twitter, Facebook, YouTube, Instagram — but will also track data from a much broader range of websites. Blogs, message boards, Reddit, even the comment sections on news sites will be brought in for review and analysis by as many as 40 intelligence officers. A spokesman for DND said the platform is not intended to be directed at Canadians’ online activity, and will comply with Canadian privacy laws. [The Star]

CA – Greg Clark Demands Fresh Probe into Alberta Shred-Gate Scandal

Nearly 350 boxes of documents destroyed improperly by outgoing PC government, privacy commissioner says Calgary MLA Greg Clark says the NDP must bring in new rules and penalties. “What’s important is that the rules are clear about what can be destroyed, and when it’s destroyed and why it’s destroyed and that we have a record of it having been destroyed and what it was before it was destroyed.” [CBC News]

CA – MP McGuinty to Chair Parliamentary Committee to Monitor Spying, Security

The Liberals are planning to table legislation by June creating the first all-party committee of parliamentarians to monitor the top-secret operations of Canada’s expanding national security establishment. public opinion polling shows many Canadians want a tighter watch over spy agencies and other federal intelligence gatherers, commensurate with their extended powers under C-51. [Source] [Canada campaigners to demand public debate on controversial anti-terror law ]

CA – Goodale says Canada Must Be ‘World Leader’ in Tackling Radicalization

Public safety minister promises more money for RCMP to fight home-grown extremism Responding to questions about recent media reports about children and others erroneously tagged on the no-fly list and flagged as national security risks, Goodale said existing regulations do not require secondary screening for children under 18 years of age. Airlines may be “going beyond what they are required to do,” he said. “They may have been misinformed or confused about the application of the rules.” Goodale also provided more details on ways the government could strengthen the no-fly list to ensure children aren’t erroneously barred from flights or subject to secondary screening. [Source] [Government may take extra steps to examine security agencies: Goodale]

CA – Pilot Project Has Victoria Buses Equipped With Audio Security

B.C. Transit has added audio security equipment to 109 buses already equipped with security cameras, all part of a pilot project to see how much the safety of operators and passengers can be improved by such devices. As of Monday, the audio will always be on in the operator’s compartment, at least until April, when the one-year $400,000 pilot project concludes. All but 25 of the buses are in Victoria; the remainder are in Kamloops. The change means that Transit conversations between the operator and a passenger will be recorded. “The audio recording is always on, just like the camera system, from the time the bus turns on until it is off. If there is an incident, the operators push a ‘tag’ button, which allow us to find it and download it after an incident.” As well as audio coming onstream, Monday marked the activation of two external side-mounted cameras on 13 buses in the Victoria fleet. Officials from the BC OIPC have talked to Transit security staff about surveillance concerns, but nothing has changed since commissioner Elizabeth Denham raised concerns in April. [Times Colonist] See also: [CA – The thorny issue of retention periods – Insurers Beware]

Consumer

US – Majority of Parents Monitor Their Teens’ Digital Activity

The Pew Research Center surveyed parents of 13 to 17-year-olds and found that they’re taking a range of steps to keep track of their kids’ online lives and to encourage them to use technology appropriately and responsibly. [Source]

US – Americans Would Trade Privacy for Safety: Pew Study

When it comes to coaxing personal information out of Americans, a Pew Research Center report found certain factors, like safety, lead to greater acceptance than cost savings can. It turns out that the tipping-point issues in balancing these privacy concerns include: how valuable the benefit survey participants will receive is in return for their personal information, how they view the company or organization that is collecting the data, the length of time that the data is retained, and what is done with this data once it is collected. [Source]

WW – Lack of Trust Deters More Than a Third of Mobile Users From App Use

AVG Technologies and MEF’s global 2016 MEF Global Consumer Trust Report found that more than 36% of consumers have either procrastinated or eschewed some mobile apps altogether due to the privacy concerns the tools raise. This is the fourth consecutive year that concerns of this nature took the study’s top spot. “The data confirms what we know to be true: lack of trust is increasingly becoming a barrier to the use and proliferation of mobile apps,” said AVG’s Harvey Anderson. “One of the most interesting findings was that almost half of the consumers surveyed worldwide were willing to pay more for privacy-friendly apps that ensure that the data collected is not shared with third parties,” he added. [eWeek]

E-Government

US – Contractors Must Ensure Adherence to DoD Interim Order on Cloud Computing and Sub-contracting

Government contractors must undertake to comply with the Department of Defense’s interim rules from August 2015 (cloud computing) and October 2015 (supply chain). Government contractors should ensure that the physical storage location of cloud services is within the United States or outlying areas of the United States, its employees, as well as employees of subcontractors, are aware of and bound by appropriate confidentiality obligations, implement a reasoned process to establish and verify suppliers under covered contracts as “trusted suppliers” (take steps to replace those that are unable to qualify). [Security Developments for Government Contractors – Squire Patton Boggs] See also: [Amazon Will Open First Cloud Data Storage Centers in Canada]

E-Mail

US – Yahoo Agrees to Settle Email Privacy Suit

Yahoo! has agreed to settle a class action challenging the way the company analyzes email messages to serve targeted ads to users of its popular Yahoo Mail service. The deal would settle claims brought on behalf of non-Yahoo subscribers who claimed their messages were intercepted, scanned and stored as part of communications with Yahoo Mail users. The settlement is subject to approval from U.S. District Court Judge Lucy Koh who has been overseeing In re Yahoo Mail Litigation, 13-4980. The proposed settlement doesn’t include a cash payout to class members. However, the company has pledged to make changes to its privacy disclosures and the architecture of its email system. [The Recorder]

Electronic Records

WW – Survey: Credential Theft, Alert Volumes Top List of Concerns

A survey from Rapid7 asked nearly 300 security professionals worldwide to list their top security concerns. 90% of respondents said they are worried about compromised credentials; 60% said they are unable to detect such attacks. 62% of respondents said that their organizations receive more security alerts than they can manage. [The 2015 Incident Detection and Response Survey] [CSO Online] [eWeek]

Encryption

WW – 200 Experts Oppose Backdoors for Encryption

A group of 200 experts have urged the world’s governments not to introduce backdoors into encryption products in an open letter posted this week. echoing sentiments expressed by the Dutch government in a formal position on encryption that was published last week,. The letter addresses itself to “the leaders of the world’s governments” and urges them to support encryption as a way to “protect the security of your citizens, your economy, and your government.” The letter ends with a five-point argument that government should:

  • Not limit access to encryption
  • Not mandate backdoors
  • Not require that third parties have access to encryption keys
  • Not try to weaken encryption standards

Not pressure companies into breaking any of the previous four points [The Register] See also: [French government rejects crypto backdoors as “the wrong solution” ]

US – Juniper Networks Will Replace Questionable Components from its Products

Juniper Networks says it will remove code developed by the NSA from its firewall products. The code was found to silently decrypt traffic sent through virtual private networks. Juniper plans to replace a cryptography component in its ScreenOS operating system. [ArsTechnica] [Wired] [eWeek] [Juniper.net]

US – FTC Fines Encryption Software Company $250,000

Henry Schein Practices Solutions, Inc. has agreed to settle FTC charges that it misled customers about encryption of patient data. An FTC agreement (in effect for 20 years) resolves complaints that a software company deceptively claimed that its product provided industry-standard encryption of sensitive patient information as required by the Health Insurance Portability and Accountability Act; the company is required to notify all affected customers within 60 days, establish a toll free number and email address to respond to inquiries, and provide customer information to enable the FTC to administer consumer redress. [FTC In the Matter of Henry Schein Practices Solutions Inc – Agreement Containing Consent Order]

US – Interior Department IG Finds Laptop Encryption Ineffective

According to an advisory from the US Interior Department’s Deputy Inspector General, misconfigured software on nearly 15,000 department laptops could lead to data theft. Although the full-disk encryption software was initially configured to run pre-boot authentication, settings have been altered so the computers run post-boot authentication, making the data on the systems vulnerable to a specific attack. The advisory recommends that Interior’s CIO “mandate the use of pre-boot authentication on all laptops and implement a monitoring and enforcement program that mitigates noncompliant systems.” [Desert News] [FedScoop] [DOI IG Report] See also: [Ransomware Evolution: Another Brick in the CryptoWall]

EU Developments

UK – Tougher Sentencing Powers Needed to Deter Data Thieves, Says ICO

The UK information commissioner Christopher Graham has called for stronger sentencing powers for people convicted of stealing personal data, after a woman who sold 28,000 pieces of sensitive driver data was fined just £1,000. [The Guardian] [UK privacy watchdog wants to be able to send data thieves to prison: Resumes campaign for new powers] SEE ALSO: [Journalists warned that ‘snoopers’ charter’ bill is part of ‘no privacy for us, no scrutiny for them’ Government strategy] [“UK doesn’t do mass surveillance,” claims Theresa May in bid for new Snooper’s Charter. End-to-end crypto is fine, apparently, but information must be “readable.“ Hmm] [ICO Questions Data Retention Plans Under Snoopers’ Charter Draft] [Here are the warnings from Facebook, Google, other firms about Britain’s proposed “mass surveillance” law] [U.S. Tech Giants Join Forces Against U.K. Spying Plans] [Tech giants call on UK government to ensure new surveillance laws are ‘jurisdictionally bounded’]

EU – EDPS Issues Recommendations for EU Communications Data

The European Data Protection Supervisor has issued guidelines for processing of the following categories of electronic communications data (“eCommunications) for EU Institutions: telephone; email; and internet. Key recommendations include defining the content and conservation period of security logs, ensuring generated statistics are anonymous, informing staff and callers of possible recordings before they happen; ensure covert monitoring of employees undergoes a prior check, has a compelling justification and includes a register of all authorisations and instances of monitoring. [EDPS – Guidelines on Personal Data and Electronic Communications in EU Institutions]

FOI

US – The NSA Said It Needs 4 Years to Answer a FOIA About a Coloring Book

Since at least 2005, the NSA has employed a cast of cartoon cats, squirrels, turtles, and other woodland creatures who like to encourage children to pursue the politically important subject of cryptography and perhaps eventually a job in national security. Crypto Cat and crew espouse many virtues, but “transparency” and “timeliness,” do not appear to be among them. [Source]

CA – BC Judge rules to Open Secret Terror Hearing

B.C. Supreme Court Justice Catherine Bruce ruled that it is possible to protect the privacy and safety of a Canadian Security Intelligence Service source without the need to keep a hearing entirely confidential in connection to the investigation of John Nuttall and Amanda Korody. The fundamental principle of open court means that in-camera hearings should only be used as a last resort when other security measures won’t work, Bruce said in her ruling. “I find there is scope for a more limited order than was originally proposed.” [Source]

US – Librarians Purge User Data to Protect Privacy

US libraries are doing something even the most security-conscious private firm would never dream of: deleting sensitive information in order to protect users. Multiple librarians have pushed back against “national security letters” that would do just that in the name of public safety – a dangerous order to resist, since those letters include a gag order. But in 2005, when the FBI served a national security letter to Connecticut’s Library Connection demanding reading records and hard drives, the librarians resisted with such force that the government capitulated. The American Library Association had their backs, resolving unanimously to “condemn the use of National Security Letters to demand any library records”. [Source]

Health / Medical

US – HHS Unveils New Tools to Help Patients Understand HIPPA Privacy Rules

Federal agency says people too often face obstacles to accessing their health information. “Unfortunately, based on recent studies and our own enforcement experience, far too often individuals face obstacles to accessing their health information, even from entities required to comply with the HIPAA Privacy Rule,” Jocelyn Samuels, HHS director of the Office for Civil Rights wrote. “This must change.” [Source]

UK – NHS-Backed Health Apps ‘Riddled With Security Flaws’

All of the NHS-approved apps audited by a private firm lacked binary protection against code tampering, and most also lacked adequate protection in the transport layer. Flaws also emerged in FDA-approved health apps in use in the US. Arxan found at least two of the Open Web Application Security Project (OWASP) Mobile Top 10 Risks in 90 per cent of the 126 apps investigated. More than 80% of the health apps tested that were approved by the US FDA or the UK NHS were also found to have at least two of the OWASP Mobile Top 10 Risks. The findings are part of Arxan’s 5th Annual State of Application Security Report, which this year focused on healthcare and finance apps. The upshot is that mobile health apps approved by regulatory/governing bodies are nearly as vulnerable as other mobile apps. [Source]

Horror Stories

CA – Halifax Man Finds Apparent Military Hard Drive at Recycling Depot

A 30 G hard drive found at a recycling depot that a Halifax man says contains personal information including the names and numbers of defence personnel has been taken by the military. Pete Stevens said he recovered about 10 G of data from the 30 G hard drive, including 6,000 photos, spreadsheets with the names and numbers of military personnel and their families, and completed applications for security clearance. [CTV News] [CBC: Canadian military investigating after hard drive found at recycling depot]

CA – Sask RN in Deep Over Facebook Posts About Her Granddad

A Prince Albert nurse could be disciplined for writing a Facebook post about the “subpar care” her grandfather received in a Macklin hospital. A registered nurse at St. Joseph’s reported the comments to the Saskatchewan Registered Nurses’ Association (SRNA), the provincial body that regulates nurses. The SRNA charged Strom with professional misconduct. It’s the first time the association has laid such charges against a member for comments made on social media. The SRNA argues Strom violated the provincial Health Information Protection Act by disclosing her grandfather’s confidential health information online, failed to raise her concerns with the appropriate people and tarnished the reputations of St. Joseph’s and its staff. Because Strom identified herself as a registered nurse in her post, she “engage(d) the professional image of registered nurses in general as well as (her) personal professional obligations,” SRNA said in the hearing notice. Strom said she was “shocked” by the charges. “What worries me about this is: Is this going to hinder future family members, who just happen to be health-care workers, from advocating for their family members for fear of retribution from the SRNA?” she asked. “It bothers me.” [Saskatoon StarPhoenix] [Editorial: Questionable case of misconduct] [CBC: Facebook post leaves Prince Albert, Sask. nurse charged with professional misconduct]

Identity Issues

CA – Manitoba Government Approves All-In-One Personal Identification Card

Manitobans will soon have access to an all-in-one personal identification card (PIC). The PIC will integrate a person’s health identification number (PHIN) onto the back of driver’s licences and photo identification cards, which are expected to be issued starting in the fall of 2017, and will be authenticated using industry-proven policies, procedures and practices currently in place at Manitoba Public Insurance. Manitoba Public Insurance already issues photo identification to approximately 92% of health card holders. Anyone who requires a Manitoba Health Card will transition to a new PIC at no charge. Manitoba Public Insurance launched a comprehensive, five-week public and stakeholder consultation process last August. More than 4,000 Manitobans and 29 stakeholder organizations provided input. The full consultation report is available for viewing on the MPI website at www.mpi.mb.ca. [Source]

Online Privacy

EU – German Court Calls Facebook’s Find-a-Friend Function Illegal

A German court has ruled that Facebook Inc.’s current find-a-friend function is illegal, labeling it an unacceptable and intrusive form of advertising. The decision by the Federal Court of Justice this week upholds a previous ruling by a lower court against Facebook, which has faced a number of legal disputes in Europe regarding privacy protection. Facebook’s find-a-friend function accesses users’ email address books and sends invitations to contacts who aren’t yet members of the social-network site. [WSJ]

Privacy (US)

US – Patients Can Sue for Data Breach Based on Data Exposure Alone: Court

A Massachusetts Superior Court judge held that a plaintiff has standing to sue for money damages based on the mere exposure of plaintiff’s private information in an alleged data breach. The court concluded that the plaintiff had pleaded a “real and immediate risk” of injury despite failing to allege that any unauthorized persons had even seen or accessed that information.  This decision is significant for several reasons. First, the case represents a comparatively lax approach to standing, in which alleging the mere exposure of information with the potential for access and misuse by unauthorized persons pleads sufficient injury to establish standing and survive a motion to dismiss. In contrast, in Clapper, the U.S. Supreme Court held that plaintiffs who alleged that the NSA actually had access to their private telephone and email conversations through its surveillance program still lacked Article III standing to sue based on the theory that their communications would be obtained at some future point. In other words, the threat of future injury was insufficient to support Article III standing even where access, not just exposure, to private information was actually alleged. 113 S. Ct. 1138, 1143 (2013). [Source] See also: [US – The new way police are surveilling citizens: Calculating their threat ‘score’]

Security

EU – Companies Unprepared for EU GDPR: Study

IT governance & technology deficiencies impede organizations from complying with “Right to be Forgotten” & EU GDPR By 2018. Although 46% of global organizations received customer requests to remove data in last 12 months, 41% lack defined processes, documentation and technology, according to Blancco Technology Group study. Key corporate security trends that surfaced from the study include: Awareness of GDPR is high (48%) among global IT professionals, but their level of preparation is much lower. 40% admit to being less than fully prepared – with 16% still needing to find the right data removal software, 9% uncertain of how and where to start, and finally, 15% not even knowing if they are prepared. Lack of documentation, processes and tools increases the likelihood of GDPR violations. 60% of the surveyed IT professionals stated that it would take their organisation up to 12 months to implement the necessary IT processes and tools to pass a “right to be forgotten” audit, while 25% do not know how long it would take. Data erasure software (48%) tops the list of the most valuable type of technology to ensure GDPR compliance, followed by encryption key removal tools (26%) and malware removal tools (10%). IT professionals inside and outside of Europe (65%) are keen to implement data protection laws similar to the framework of EU GDPR. [Security News]

US – PCI SSC Explains How to Respond to a Data Breach

Recently, the Payment Card Industry Security Standards Council (PCI SSC) published a three-page guide titled “Responding to a Data Breach” that articulates its position on the correct response to a security incident at a merchant location where the attack exposed cardholder data. The guidance also highlights some of the difficulties in developing proper response procedures, specifically the challenges in mapping out complete, thorough procedures that actually hold up under the stress of an actual incident. [Privacy Advisor]

WW – Known Vulnerabilities Cause 44% of All Data Breaches: Study

Most IT experts are well aware of the need to patch vulnerabilities in their systems as soon as possible, but despite this, known security issues remain the leading cause of corporate data loss and production downtime in the enterprise. That’s the biggest finding of BMC Software Inc.’s latest security survey, The Game Plan for Closing the SecondOps Gap. The report, which was conducted by Forbes Insights on behalf of BMC and surveyed more than 300 C-level executives from U.S. and European firms, found that known vulnerabilities are the leading cause of data breaches, accounting for 44 percent of all such incidents. [Source]

Surveillance

US – New York to Appoint Civilian to Monitor Police’s Counterterrorism Activity

The NY City mayor will appoint an independent civilian to monitor the New York Police Department’s counterterrorism activities, as they moved to settle a pair of lawsuits over surveillance targeting Muslims in the decade after the Sept. 11 attacks. With the settlement, the surveillance of Muslims becomes a chapter in the long history of controversial police tactics in New York. [New York Times]

EU – Belgian DPA Requests Opinion of US Surveillance Laws Under Schrems

The European Court of Justice (ECJ) failed to take into account numerous changes in U.S. surveillance practices when it invalidated the Safe Harbor program in the Schrems case, according to a report by Prof. Peter Swire. The Schrems decision reflected a “serious misunderstanding of U.S. national security law,” the report concluded. Swire finds that the U.S. legal order as related to privacy and surveillance is:

  • “essentially equivalent” to the EU’s,
  • that the ECJ came to the wrong conclusion regarding section 702 of the PRISM program, and
  • that the decision neglected the two dozen significant reforms the U.S. has made to its surveillance practice since 2013.

The Belgian Privacy Authority requested that the report answer two questions for a forum on the Schrems decision that it hosted:

  1. Is U.S. surveillance law fundamentally compatible with EU data protection law?
  2. What actions and reforms has the U.S. taken since Edward Snowden’s revelations of U.S. government surveillance began in June 2013? [More at BNA.com]

US – Why the Non-Malicious Insider Is Quickly Becoming a Huge Threat

Despite the steadily increasing number of enterprises adopting security software, which has proved important in enabling companies to more successfully secure and track sensitive data, there is a big missing link to tie all of these efforts together: employee education. According to a recent survey we conducted with CoSoSys customers, 35% of enterprise employees think that data security is not their responsibility. This is a serious issue when you consider that 70% of these employees have access to and use confidential company files. Additionally, 60% don’t even know which files are confidential or not. When you add disgruntled or recently fired employees whose system access had not yet been revoked to the mix, companies are leaving themselves open to a potentially devastating breach. [Source]

US Government Programs

US – New Student Database Slammed by Privacy Experts

The U.S. Education Department’s new planned system of records that will collect detailed data on thousands of students — and transfer records to private contractors — is being slammed by experts who say there are not adequate privacy safeguards embedded in the project. The non-profit Electronic Privacy Information Center, or EPIC, told the department in a January 2016 formal complaint that its new system of records for the “Impact Evaluation of Data-Driven Instruction Professional Development for Teachers” violates the Privacy Act by: (1) collecting irrelevant and unnecessary information and (2) not clearly stating the purpose of the proposed routine use disclosures. [Washington Post] [The astonishing amount of data being collected about your children]

US – Report: Feds Leave 42% of Cybersecurity Recommendations Undone

The Government Accountability Office discovered that out of its 2,000 recommendations on cybersecurity for federal agencies in the past six years, 840 remain undone, for a completion rate of 58%. This number contrasts greatly with the average completion rate for general recommendations of 80%. “Implementing this and other outstanding recommendations could better protect federal data and federal agencies’ responses to cyberattacks and data breaches,” the agency wrote in a blog post. [FedTech]

US Legislation

US – House Passes Substantial FOIA Reforms

Congress has passed the FOIA Oversight and Implementation Act, H.R. 653, which would limit exemptions that allow agencies to withhold public records, create an online portal for FOIA requests, and require agencies to post frequently requested documents. Open government advocates and members of Congress have criticized federal agencies for lax compliance with the Freedom of Information Act. The House Oversight Committee concluded that “[e]xcessive delays and redactions” have undermined the Act.” The FOIA Ombudsman criticized the Transportation Security Administration for its “weak management” and lack of a “FOIA tracking system.” EPIC has pursued many FOIA cases.EPIC and a coalition previously urged President Obama to strengthen the FOIA by committing to a “presumption of openness” and narrowing the use of FOIA exemptions. [Source]

Workplace Privacy

EU – EDPS Issues Guidelines on Work-Related Use of Mobile Devices

The European Data Protection Supervisor issues guidelines on protection of personal data in mobile devices (“devices”). The guideline examines risks for personal data processed on mobile devices (leakage of personal data and compromised credentials), applicable procedures for lifecycle management of devices (i.e. mobile device inventory and asset disposal), and necessary security measures, such as remote wipe and lock, user and application access restriction, secure logs and audit trails, full disk encryption, and application whitelists and blacklists. [EDPS – Guidelines on the Protection of Personal Data in Mobile Devices Used by European Institutions]

 

+++

1-8 January 2016

Big Data

US – FTC Issues Guidance on Big Data

The report looks at the end uses of that ubiquitous collection of data from a variety of sources after it has been analyzed and chronicles such upsides as boosting education, non-traditional access to credit, specialized healthcare and access to employment. But it also surveys risks, which it identifies as “inaccuracies” about certain groups, exposing sensitive information, targeting vulnerable consumers for fraud, increasing the price of goods in lower-income communities, and reducing consumer choice. [Broadcasting News] [Big Data: A Tool for Inclusion or Exclusion? Understanding the Issues] SEE ALSO: [Data in 2016: 5 Trends That Will Drive Big Data]

Canada

CA – IPC Recommendations to Protect PHI When Using Various Technologies

The IPC has provided guidance on best practices for protecting personal health information. When retaining PHI on mobile or portable devices, strong encryption should be used (keys should be of a sufficient length and error messages should be monitored and responded to immediately) and the device should have strong password protection (random string of letters, numbers and symbols). Shared electronic health record systems should have harmonized policies and procedures that address training, consent management, breach management, complaints and inquiries. [IPC Presentations From the 2015 PHIPA Summit]

Consumer

US – Pew Survey Indicates Confusion Over Online Data-Sharing Decisions

A new Pew Research Center survey indicates a “significant minority” of American adults have felt confusion about whether to share personal information with companies. The survey found that while 50% said they were confident they understood what would happen with the information they shared, 47% said they were not. 35% of respondents said they were discouraged with the effort required to try to understand data uses, while 38% said the information provided in various companies’ privacy policies confused them. 29% said they found themselves impatient in that they needed to make a decision quickly but felt they wanted to learn more. [Full Story]

US – Study Finds Simplified Privacy Notifications Ineffective

A new survey-based study by two University of Chicago Law professors published on the Social Science Research Network found that the simplification of privacy disclosures did not modify user behavior. “Simplification of disclosures is widely regarded as an important goal and is increasingly mandated by regulations in a variety of areas of the law,” said the study authors. “In privacy law, simplification of disclosures is near universally supported.” However, “our results reveal that none of the simplification techniques help inform respondents or affect their behavior. They call into further question the wisdom of focusing much regulatory effort on improved disclosures,” they continued. [Source]

Electronic Records

UK – NHS to Implement Platform that Integrates Imaging, Genomic Data

England’s National Health System will be implementing an integration platform that will link medical imaging and genomic data, with the intent of bringing together key information at the point of care. The NHS will be rolling out the system from Kanteron Systems that will allow NHS to have exclusive and unrestricted access to its medical imaging and genomic data integration platform. Kanteron is working with various technology partners that have significant business with U.S. healthcare providers. They include IBM, Microsoft and Hitachi Data Systems. Kanteron executives said the company will offer additional services, such as consulting, implementation, integration, migration, tech support and more, to support adoption of new clinical workflows. [Source]

Encryption

EU – Dutch Govt Rejects Backdoors in Encryption

The Dutch government has published a position paper in which it opposes the ideas of creating backdoors in encryption products. The paper says, in part, “The government believes that it is currently not appropriate to adopt restrictive legal measures against the development, availability, and use of encryption within the Netherlands.” The paper notes that placing backdoors in the products “would also make encrypted files vulnerable to criminals, terrorists, and foreign intelligence services.” [The Hill] [The Register] [Dutch government backs strong encryption to contradict UK stance] [Security experts support Dutch stance on encryption] [What lessons can the UK learn as the Dutch champion data encryption, oppose backdoors] See also: [David Chaum, the Father of Online Anonymity, Has a Plan to End the Crypto War] and [There’s a huge debate over an encryption expert’s plan solve the problem of online privacy]

EU Developments

EU – EU Commission Provides Overview of Data Protection Reform

The European Commission released a fact sheet regarding the impact of the “General Data Protection Regulation (the “Regulation”). The GDPR safeguards freedom of expression and historical/scientific data (through the right to be forgotten) and provides specific protection for children (parental consent required for processing of minors); the use of Big Data analytics is encouraged (through GDPR promotion of anonymization, pseudonymization and encryption), and the one-stop shop mechanism positively impacts companies (they only have to deal with 1 DPA, and will receive more consistent and faster decisions). [European Commission – Questions and Answers – Data Protection Reform] [PrivaWorks] Final drafts out of the trilogues: Final GDPR Text, December 15, 2015 | Final DPD Text, December 15, 2015] SEE ALSO: Top 10 operational impacts of the GDPR (IAPP Privacy Advisor): Part 1 – data security and breach notification | Part 2 – The mandatory DPO | Parts 3-10 TBD

EU – NIS + GDPR = A New EU Breach Regime

European lawmakers capped off a blockbuster week for privacy with an important step towards the first comprehensive information security legislation in the EU. The Network Information Security (NIS) Directive was initially proposed by the European Commission in February 2013 to raise cybersecurity capabilities across the EU’s 28 member states. After more than two years of negotiation, the European Council reached an informal agreement with the Parliament on December 7, and the agreed text was approved by the Member States December 18. The text now must undergo “technical finalisation,” and then needs to be formally approved by both the Council and the Parliament, which is expected, according to the Council, this spring. Member States will then have 21 months to implement the Directive into law, passing their own legislation in accordance with the Directive. The Directive aims to “increase cooperation between member states and lay down security obligations for operators of essential services and digital service providers,” according to a Council press release. To that end, it will require operators take measures to manage cyber risks and report security incidents. The Parliament and Council disagreed over which operators would be subject to the provisions. Ultimately, they extended the measures to operators of “essential services” and digital service providers. Perhaps most importantly for privacy and data protection professionals, the Directive introduces breach notification requirements that extend beyond those of the General Data Protection Regulation (GDPR). Unlike the GDPR, which mandates notification only when there is a risk to personal data, the Directive requires operators to notify competent authorities whenever there is a substantial impact on the provision of the operator’s service. Thus, while the GDPR includes security and notification provisions to protect personal data, the Directive seeks to improve security safeguards and the sharing of knowledge on cybersecurity threats. {IAPP Privacy Tracker]

EU – EDPS Releases Guidelines on E-Communications, BYOD

The European Data Protection Supervisor (EDPS) has published two sets of guidelines for EU institutions and bodies on personal data and electronic communications as well as personal data and mobile devices. The EDPS said the guidelines aim to help EU institutions comply with data protection rules, but they’re really applicable to any organization. In the guidelines, EDPS Giovanni Buttarelli said EU bodies looking to implement BYOD should look at the benefits of doing such processing “taking account of the risks and invasiveness that such use may imply.” [Press Release] SEE ALSO: [EDPS – Response to the Commission Public Consultation on the Regulatory Environment for Platforms, Online Intermediaries, Data and Cloud Computing and the Collaborative Economy]

EU – EDPS Opinion Calls for Enhanced Controls on Surveillance Tech

In a recently published opinion, European Data Protection Supervisor Giovanni Buttarelli called for enhanced controls on the export of technologies used for communications surveillance and interception. He said there is a “tension between the positive use of ICT tools and the negative impact that the misuse of technology can have on human rights, and especially on the protection of personal data and privacy.” Buttarelli said national and EU policies should address the tension but so should “all actors involved in the ICT sector.” [Full Story] See also: [EU privacy watchdog to set up ethics advisory group]

UK – ICO: Govt Should Not Have Right to Access Citizen’s Private Data

The UK government and security services shouldn’t have “willy-nilly” access to citizen’s digital communications and online activities, the Information Commissioner has warned. Such powers would represent an excessive invasion of privacy, he added. Christopher Graham made the comments while presenting evidence to a House of Lords Joint Committee on the draft Investigatory Powers Bill. The draft Bill – dubbed the “Snooper’s Charter” by critics – was introduced by Home Secretary Theresa May last year. It explicitly authorises security services to bulk-collect personal communications data and makes it illegal to even ask in court whether evidence was obtained via bulk surveillance. However, Graham warned that the legislation must not give the government carte blanche for collecting and storing citizen’s private data. “Simply by the fact that we’re all doing business, social actions and communications digitally, wherever we go, whatever we do; like it or not, we leave a digital trail,” he told the Joint Committee, and argued that data protection legislation requires much of this to remain private. “The challenge for the data protection framework is to make sure that remains private where it should be private.” Graham told the Committee that it shouldn’t be the case the state can access all of a citizen’s private data, just because it wants the power to do so. [Source] See also: [Facebook, Google, Twitter unite to attack ‘snoopers’ charter’] [UK mass surveillance ‘totalitarian’ and will ‘cost lives’, warns ex-NSA tech boss]

EU – German Federal DPA Completely Independent as of January 1, 2016

The federal German data protection authority (“DPA”) issued an update for 2016. A German law, effective January 1, 2016, establishes the federal DPA as the supreme federal authority (comparable to the Federal Court) and entirely independent, responsible only to Parliament; the DPA’s decisions are subject to judicial review. [DPA Germany – Update and Outlook for 2016]

Finance

CA – Investment Industry Regulator Issues Security Guide for Dealer Members

The Investment Regulatory Organization of Canada (“IIROC”) issued a guide for cyber incident management planning for small and mid-sized Dealer Members. The guide outlines possible causes of a cybersecurity incident, signs of possible information system compromise and recommendations for the phases of incident management (plan and prepare, detect and report, assess and decide, respond, and post-incident activity); an incident checklist is provided (whether there is a plan in place or not). [IIROC – Cyber Incident Management Planning Guide for IIROC Dealer Members]

FOI

CA – Law and Info Groups Challenge ‘Far-Reaching’ Retroactive Law

A retroactive Conservative law buried in last spring’s omnibus budget bill fundamentally undermines the rule of law and government access-to-information systems across Canada, according to court submissions in a paused constitutional challenge. Twelve of Canada’s 13 provincial and territorial information commissioners, as well as the Criminal Lawyers’ Association, are seeking intervener status in the case, which challenges the former government’s unprecedented rewrite of an old law to get the RCMP and any other government official off the hook for illegally destroying long gun registry records. The case, brought by federal information commissioner Suzanne Legault on behalf of individual Bill Clennett, is one of the messier legal challenges the new Liberal government will have to mop up in 2016. [GlobalNews]

CA – IPC Requires Ministry to Reveal Marijuana Grow-Op Info

This IPC order reviews the decision of the Ministry of Community Safety and Correctional Services to withhold records requested under FIPPA. Due to health and safety threats posed by properties formerly used for marijuana grow-operations, it is in the public interest for certain records to be released which provide address, dates and amounts of marijuana seized during OPP investigations; in the absence of sufficient evidence of an indoor marijuana grow-operation, the compelling public interest in disclosure of those records no longer exists and should not be disclosed to the public. [IPC ON – Order PO-3547 – Ministry of Community Safety and Correctional Services] See also: [Interim Order PO-3555 – IPC Upholds York University Decision to Deny Access to Security Reports]

CA – 2010 Olympic Records Are Not in Control of 3 Public Bodies: BC OIPC

This OIPC order reviews the decision reached by the City of Vancouver, the Resort Municipality of Whistler and the Ministry of Finance (collectively, the “public bodies”) relating to records requested pursuant to British Columbia’s Freedom of Information and Protection of Privacy Act. The Adjudicator agreed with the two municipalities and a government department that the records are not in their custody (e.g. Olympic committee bylaws determined the storage and inspection of the records) or control (e.g. the public body lacks the contractual authority to regulate the records’ use, disclosure and disposition). [OIPC BC – Order F15-65 – City of Vancouver, Resort Municipality of Whistler and the Ministry of Finance]

CA – Clayton: Post-Election Document Destruction Illegal

After an investigation of widespread document destruction by the Progressive Conservatives after losing an election to the NDP last year, Alberta Privacy Commissioner Jill Clayton and Public Interest Commissioner Peter Hourihan found that lack of oversight and accountability demonstrates the need for an overhaul of the province’s records management system. The joint investigation found that no one monitored the shredding of a vast amount of government documents. “Robust and accountable records management programs are critical to ensure Albertans can exercise their access to information rights,” Clayton wrote. “This investigation found there was confusion about the rules guiding records management, and there were no consequences for not following rules.” [Document shredding rules not followed after Alberta election, investigation finds] See also: [New details about Calgary healthcare workers privacy breach]

US – New Resource from ProPublica Aims to Simplify Info Access

ProPublica’s new online Policing Patient Privacy and HIPAA Helper tools allow the curious to stay on top of the healthcare privacy community’s goings-on as well as check to see if his or her hospital or healthcare provider was amongst the hacked. Among the newest stories in the Policing Patient Privacy database is a ProPublica report on the Department of Veterans Affairs mistakenly sending incorrect veteran data to war widows and an additional study on how companies rarely face serious consequences after repeated bungles. Meanwhile, the Department of Health and Human Services published a chart that ranks the top five healthcare privacy grievances by year, with “impermissible uses and disclosures” taking the top spot from 2004 through 2014. Healthcare records breached in 2015 topped 112 million. [ProPublica]

Genetics

JP – Gov’t Says Genomic Info Considered PII

A panel of Japanese experts has decided genomic information should be considered personal information under the newly revised privacy act approved in September. The information will now be classified just as digitized facial features and fingerprints are, and genomic data related to diseases will be considered highly sensitive personal information. The government plans to add rules this year to cover grey areas surrounding protecting genomic data. [Lawyer Herald]

Health / Medical

CA – IPC Issues Guidance on Use of Health Card Numbers

The IPC released a FAQ’s on the use of health cards and health numbers by healthcare professionals pursuant to the PHIPA. Individuals have a right to refuse to provide their health cards and health numbers to a person who is not a custodian (custodians are persons and organizations prescribed in the regulations permitted to collect, use or disclose health numbers), but disclosure must be voluntary; it is an offence under PHIPA to require the production of a health card, except if it is required by a person or organization that provides provincially funded health resources to the individual. [IPC – Health Cards and Health Numbers – The Personal Health Information Protection Act]

Horror Stories

US – Comcast to Pay Penalty of $19,850,000 for Multiple Privacy Violations

The Superior Court of the State of California issued a stipulated judgment filed by the California Attorney General (“Plaintiff”) against Comcast Cable Communication LLC (“Defendant”) for unlawful: disposal of customer information; and hazardous waste disposal practices. Customer records (name, address and phone number) were disposed of without being shredded, erased or made unreadable or indecipherable; the company must designate a Privacy Officer responsible for overseeing its customer record disposal procedure, train employees on the procedures and post prominent signage about the procedures at its facilities. A third party auditor must conduct random audits to evaluate compliance with the procedures within 18, 36 and 54 months. [The People of the State of California v Comcast Cable Communications LLC – Complaint and Stipulation for Entry of Final Judgment – Superior Court of the State of California – County of Alameda | Press Release ]

Identity Issues

US – IRS Provides Tax Break on Pre-Breach ID-Protection Programs

The IRS is offering new tax relief for employers that offer pre-breach identity-protection services for employees. According to IRS Announcement 2016-02, employers do not have to count the value of the protection service in an employee’s wages and gross income or report the amounts on a tax return. However, the new provision “does not apply to cash received in lieu of identity protection services,” the IRS wrote, and “does not apply to proceeds received under an identity theft insurance policy; the treatment of insurance recoveries is governed by existing law.” [BNA.com]

US – Backlash Encourages IRS to Kill Non-Profit Donor Data-Sharing Scheme

After receiving nearly 38,000 public complaints, the International Revenue Service (IRS) withdrew its proposal that would permit non-profits to collect the Social Security numbers of select donors. Although the IRS maintained that the program was created to safeguard donor privacy and keep reporting simple for non-profits, many were nonplussed, and the axing of the proposed system incited widespread celebration from groups like the Tea Party Patriots and the National Council of Nonprofits (NCN). “Nonprofits have neither the financial resources nor sufficient staffing to combat hackers who will see an easy source for Social Security information,” said the NCN CEO. “This also creates a liability nightmare for innocent nonprofits. … To be asked to share their address, their credit card number, and their Social Security number all in the same place would be enough to scare even the most committed donor to decline to give.” [The Daily Signal]

SG – Singapore DPA Recommends Use of Anonymization Methods

The data protection authority in Singapore issued an e-newsletter providing guidance on anonymization. Common anonymization techniques include masking (e.g. certain data details removed while preserving the essential look and feel of the data), pseudonymization (identifiable data replaced with randomly generated values from which an identity cannot be inferred), aggregation values (displayed as a total figure), replacement (average figure replaces a value), and data suppression (a range is used instead of specific values). [Personal Data Protection Commission, Singapore – Anonymisation: Managing Personal Data Protection Risk]

Internet / WWW

WW – Microsoft to Warn of State-Sponsored Attacks

Microsoft has revised its account breach notification policy to specify when it suspects that state-sponsored attackers have targeted a user’s email or cloud services account. While Microsoft already has a policy in place that calls for notifying users of account breaches, the decision to identify a breach as coming from a state-sponsored entity was made “because it is likely that the attack could be more sophisticated or more sustained than attacks from cybercriminals and others.” [SC Magazine] [Bloomberg] [Washington Post] SEE ALSO: [Microsoft failed to warn victims of Chinese email hack: former employees]

US – Free Public Wi-Fi in NYC

New York City plans to install 10,000 free public Wi-Fi hotspots. Once operational, the kiosks will provide 2.0 strength in a 150-foot radius, as well as USB chargers, touchscreen Internet access, and free phone calls within the US. The project expected to realize US $500 million in advertising revenue over 12 years. The plan calls for the first 500 kiosks to be up within the next six months; 4,500 additional hubs are expected to be established over the next four years. The system will be encrypted. [CS Monitor]

Law Enforcement

CA – BCCLA to OIPC: Audit Use of Mobile Cop Surveillance Towers

Micheal Vonn, policy director for the B.C. Civil Liberties Association, said she has concerns about the deployment by law enforcement of new tower cameras over the holidays — particularly whether they have the capability to see into people’s homes — but cautioned that the association hasn’t concluded such equipment is unnecessary. “What we don’t want to start out by saying is that this kind of camera could never be justified — that’s not our position,” Vonn said. “But given the sensitivity of the information regarding the deployments, how can we know when it’s being appropriately deployed?” Vonn suggested the BC OIPC  consider an audit to determine whether the tower camera, which is also used by Abbotsford police and some other local police forces, is being used in a manner that doesn’t infringe on residents’ privacy rights. [Vancouver Courier]

Online Privacy

The Privacy Advisor’s Top 10 Stories of 2015

Between the U.S. President’s historic visit to the Federal Trade Commission to identity, privacy and data protection as priorities this year to the European Court of Justice invalidating Safe Harbor and the European Commission introducing the privacy reform that will change the privacy landscape globally, it’s been quite a year for the privacy profession. Here’s a look back at the top 10 stories reported in The Privacy Advisor, ranked by the number of reads each story got.

  1. Obama Stops by FTC; Announces Privacy Bills on ID Theft, Student Data, Consumer Privacy
  2. Cookies Are So Yesterday; Cross-Device Tracking Is In
  3. Safe Harbor Invalid, Rules ECJ
  4. GDPR Is Here: What’s a Privacy Pro To Do Next?
  5. With Safe Harbor Invalid, What’s a Privacy Pro To Do?
  6. Third-Party Vendor Management Means Managing Your Own Risk
  7. Would a Law Degree Take Your Privacy Career to the Next Level?
  8. His Task? Start Up a Privacy Program at a Start-Up
  9. How To Operationalize the PIA
  10. FTC’s Security Guide: A Sure-Fire Way To Stay Out of Trouble?

[Source] See also: [Why 2015 Was a Historic Year for Privacy]

US – Judge Allows Class-Action Against Yahoo to Proceed

In Chicago, a federal judge allowed a class-action lawsuit against Yahoo to proceed, which could make Yahoo liable for up to $1,500 in damages for each text message it sent to non-Yahoo customers on Sprint’s wireless network in March 2013. The suit claims Yahoo violated telecom rules by sending users who signed into Yahoo Messenger a follow-up text even though users had not given consent to be contacted. Yahoo could pay up to $750 million total “given that as many as 500,000 people could be covered in the class-action,” [Washington Post]

Privacy (US)

US – DHS Offers Drone Privacy Best Practices

The Department of Homeland Security Unmanned Aircraft Systems Privacy, Civil Rights and Civil Liberties Working Group has released 15 best practices for government agencies working with the emerging technology. In a joint statement, the co-chairs of the working group write, “The DHS Working Group neither proposes nor intends that this document regulate any other government entity. Our goal, rather, is simply to share the best practices we have identified as helping to sustain privacy, civil rights, and civil liberties throughout the lifecycle of an unmanned aircraft systems program.” The ACLU, however, said the guidelines are vague on data retention limits of collected data. [Federal News ERadio] See also: [UK Police to use drones for burglaries, sieges, protests] See also: [Drone Law Journal Launched]

US – DHS Releases New Year’s Resolutions for Privacy

The Department of Homeland Security’s Privacy Office reflects on its privacy progress while postulating on the future within its 2015 review. The office shed light on its involvement with the U.S.-Canada Beyond the Border Action Plan and the U.S.-E.U. Data Protection and Privacy Agreement. Among its 2016 plans is a DHS mobile app privacy policy and involvement in the Automated Indicator Sharing Initiative, in which the office will aim to “develop an automated, near-real-time capability and process for the Department of Cybersecurity and Communications Integration Center, to send and receive cyber threat indicators from government and private organizations.”[Federal News Radio reports]

US – CRS Sheds Light on Enforcement Authority in Data Breach Legislation

Most of the bills would task FTC with most of the enforcement duties, said a recent CRS report, but the legislation differs on whether the FCC should retain its existing enforcement authority over data security and breach notification for telecommunication providers. The transparency group Federation of American Scientists obtained the report and made it publicly available. [FierceGovtIT] See also: [LabMD and Wyndham Decisions Curtail FTC’s Data Privacy and Security Reach]

US – PrivacyCon to Hit Washington Jan 14

The FTC has announced the full agenda for PrivacyCon, a free and publicly accessible event, on January 14. Industry delegates, researchers, and government representatives will convene in Washington to discuss privacy and data protection research from a broad collection of academics. Among the research presentations is Cornell researcher Vitaly Shmatikov’s discovery that due to “subtle bugs,” some ads now have the ability to report a user’s medication usage and sexual preference, as well as his or her location. Registration for the event is on a “first come, first serve” basis. This event will be webcast [Source]

US – Data Privacy Day Observed by NCSA with State of Privacy Event

The National Cyber Security Alliance (NCSA) is hosting a State of Privacy event at the Pew Charitable Trusts in Washington on January 28, more formally known as Data Privacy Day. Speakers like the FTC’s Julie Brill and EDPS Giovanni Buttarelli, among others, will discuss both “consumers’ view on privacy” and “developing a sustainable big data ecosystem.” The free and publicly accessible event aims to “initiate a practical and solutions-focused dialogue addressing the current state and future of privacy.” [Full Story]

Security

WW – 10 Data Security Trends That Will Impact You in 2016

Considering the events of the past year, here’s my take on trends and predictions for 2016.

  1. Consolidation of IT Security: The IT marketplace wants fewer vendors, not more.”
  2. The Internet of Things to Run Rampant: 6.4 billion connected “things” will be in use globally by the end of 2016 – up 30% from 2015 – and that number is expected to reach 20.8 billion by the year 2020.
  3. Responsible Disclosure: The upcoming year could bring about fundamental changes in how security researchers discover, prove, report and address vulnerabilities.
  4. Security Awareness to Expand to Consumers: In order to combat internal breaches, companies are providing their employees with cyber security awareness training.
  5. Data Breaches to Cause Extensive Implications: In the past, there have been significant delays in victims noticing the effects of a data breach – if at all. That is, until the hack of Ashley Madison, which highlighted the extent to which the personal and professional lives of a large group of people could be negatively impacted by a data breach.
  6. Privacy Regulations: With the ongoing debates around privacy regulation in Europe, security will undoubtedly be included in the conversation. Of particular note will be discussions around the case of Safe Harbor and how such European rulings will affect the global transfer and storage of personal data.
  7. SMBs to Invest More in Security: Cybercriminals are increasingly targeting SMBs because they’re seen as less secure, while oftentimes owning valuable customer data. Ransomware’ tops the list of company concerns for SMBs, and instances of cyber attacks targeting SMBs will continue to grow.
  8. Cloud Security to See Increased Shared Responsibility: Deploying a cloud-based IaaS, PaaS or SaaS provider can be a good business and security investment for companies with limited IT resources. However, companies must also understand that simply hosting in the cloud does not absolve them of security responsibilities.
  9. Incident Response to See Improvements: The onslaught of high-profile breaches has created a greater need for companies to respond to breaches in a timely manner.
  10. Collaboration Amongst Community to Increase: More than ever, security professionals are utilizing tools and platforms in order to better share and collaborate on security research and uncovering and responding to threats..

[Source] SEE ALSO: [DarkReading: 15 Cybersecurity Lessons We Should Have Learned From 2015, But Probably Didn’t] [Information Week: Top Data Privacy Issues to Scare You in 2016] [Wired: The Biggest Security Threats We’ll Face in 2016]  [CSO Online: Five Cybersecurity Names to Follow in 2016] [Data in 2016: 6 Changes to Expect in Security, Cloud and Mobile Tech]

Smart Cars

WW – Data Communication Modules Coming to 2017 Toyotas

Toyota announced that select 2017 model vehicles worldwide would employ “data communication modules” (DCM) that will connect the cars to “Toyota’s Big Data Center.” While the extent of the DCM’s application will vary from model to model, all cars will have, at minimum, an emergency alert reporting system that activates when the airbag is deployed. Other features are still a mystery, but Toyota did disclose that its data center will “analyze and process data collected by DCM, and use it to deploy services under high-level information security and privacy controls,” it said in a statement. [The Verge]

Surveillance

EU – Irish DPA Requires Transparency When Using Body Worn Cameras

The Irish Data Protection Authority released guidance on the use of body worn cameras, pursuant to the Data Protection Act. Individuals should be clearly informed of the use of body cameras, and clearly informed of all the purposes, who will have access to this information, and how long the images will be retained, mount conspicuous signage in the area in which the camera is operation, and the person operating the body worn camera should be visually identifiable (where possible/practicable, announce to the subjects of an encounter that video and audio recording is taking place using a body worn camera). [DPA Ireland – Guidance on the Use of Body Worn Cameras]

Telecom / TV

US – 2016’s Big Surveillance-Privacy Cases

It’s been 2.5 years since the first Snowden revelations were published. And in 2015, government surveillance marched on in both large (NSA) and small (the debut of open source license plate reader software) ways. Within the past year, Congress voted to end Section 215 of the Patriot Act—but then substituted it with a similar law (USA Freedom Act) that leaves the phone metadata surveillance apparatus largely in place even if the government no longer collects the data directly. Even former NSA Director Michael Hayden admitted in June 2015 that this legal change was pretty minor. We also saw some notable 2015 reforms as to how federal law enforcement uses stingrays, the invasive cell-phone surveillance devices in use by everyone from local cops all the way up to the FBI, DHS, and the IRS. The Department of Justice (the parent agency of the FBI) and DHS both announced new policies that require the agencies to get a warrant prior to deploying the snooping device. California Cops, Want To Use A Stingray? Get A Warrant, Governor Says: In October 2015, America’s most populous state implemented the California Electronic Communications Privacy Act. Among other reforms, this act imposed a warrant requirement for the state’s cops when using a cell-site simulator. Other states that already have similar laws include Washington, Virginia, Minnesota, and Utah. But perhaps 2015’s most notable surveillance happenings took place in the court room. Last year, we summarized five cases and trumpeted: “If the Supreme Court tackles the NSA in 2015, it’ll be one of these five cases.”

US Legislation

US – Key U.S. Cybersecurity Provisions Signed into Law

Last month, tucked into a 2,000-page spending bill, the Cybersecurity Information Sharing Act of 2015 (CISA) was enacted into law. Hogan & Lovells have summarized key cybersecurity provisions. The main goal of CISA is to encourage organizations to share information with the government about the cybersecurity threats they face and to help strengthen the mechanisms via which such information is disseminated to other organizations to help them improve their cyber defenses. Despite overwhelming support in Congress and backing from many in the private and public sectors, questions remain about some provisions in CISA, including whether privacy safeguards are adequate and whether liability protections are sufficient to allay organizations’ fears of being sued based on their participation in information sharing. How these issues are resolved will help determine whether CISA will make a real difference in the way organizations share, receive, and use cybersecurity information. [IAPP Privacy Tracker]

+++

 

21-31 December 2015

Canada

CA – IPC Publishes FAQ on Amendments to FIPPA and MFIPPA

Bill 8, the Public Sector and MPP Accountability and Transparency Act, 2014, will come into effect on January 1, 2016. This Bill amends the Freedom of Information and Protection of Privacy Act (FIPPA) and the Municipal Freedom of Information and Protection of Privacy Act (MFIPPA) to include requirements for institutions to ensure the preservation of records. As a result of the amendments, heads of institutions will be required to take “reasonable measures” to preserve records in their custody or control. The amendments apply to all stages of the information life cycle and make it an offence to alter, conceal or destroy a record with the intention of denying access. As the body that oversees compliance with FIPPA and MFIPPA, the IPC strongly supports the amendments because they will bring increased transparency and accountability to Ontario public institutions. The IPC has prepared this new paper to help institutions understand their responsibilities under the recordkeeping amendments, as well as develop and implement plans to address these provisions. [Information and Privacy Commissioner /Ontario]

CA – Jennifer Stoddart Named to Order of Canada

Congratulations to Jennifer Stoddart (Officer) and Kent Roach (Member) for being named to the Order of Canada. [Globe&Mail]

CA – Canadian Companies Have Big New Ally in Fight Against Cyber Crime

Nine major Canadian companies, including the big telcos and some of the Big Five banks, along with the Canadian Council of Chief Executives are forming the Canadian Cyber Threat Exchange (“CCTX”), which will allow companies to share information among themselves, government and research institutes about cyber attacks. [Financial Post]

Consumer

US – Warrantless Online Surveillance Is OK for Most: Poll

According to the new poll, 56% of Americans favor and 28% oppose the ability of the government to conduct surveillance on Internet communications without needing to get a warrant. That includes such surveillance on U.S. citizens. Majorities both of Republicans (67%) and Democrats (55%) favor government surveillance of Americans’ Internet activities to watch for suspicious activity that might be connected to terrorism. Independents are more divided, with 40% in favor and 35% opposed. Only a third of Americans under 30, but nearly two-thirds 30 and older, support warrantless surveillance. [Source]

E-Government

US – 191 Million Voter Records Unprotected

A database containing personally identifiable information of 191 million voters has been discovered. The database is misconfigured, making it accessible online to anyone. The compromised information includes names, addresses, dates of birth, and voting history dating back to 2000. It has not yet been determined to whom the database belongs. [Wired] [The Hill] [CNET] [The Register] See also: [Livestream Acknowledges Breach] [Database configuration issues expose 191 million voter records: Massive database exposed to public, major political data managers deny ownership] [Massive trove of US voter data discovered on Web]

Encryption

WW – Google: Bring Your Own Encryption Keys to Google Cloud Platform

Google has introduced Customer-Supplied Encryption Keys for Google Compute Engine in beta, which allow you to bring-your-own-keys to encrypt compute resources. Google Compute Engine already protects all customer data with industry-standard AES-256 bit encryption. Customer-Supplied Encryption Keys marries the hardened encryption framework built into Google’s infrastructure with encryption keys that are owned and controlled exclusively by you. You create and hold the keys, you determine when data is active or at rest, and absolutely no one inside or outside Google can access your at rest data without possession of your keys. Google does not retain your keys, and only holds them transiently in order to fulfill your request. [Google]

EU Developments

EU – GDPR: Orgs Must Obtain User Consent for Personal Data Processing

A law firm (FieldFisher LLC) examines forthcoming changes under the General Data Protection Regulation (“GDPR”). Organisations will have to re-engineer data collection forms, online and mobile user interfaces, privacy policies and terms and conditions to ensure explicit consent can be proven; explicit consent may not be an option where there is a significant imbalance between the individual and the organisation collecting the personal data.

Filtering

WW – New Code Will Indicate When Web Content is Being Censored

The Internet Engineering Steering group has approved a new HTTP code, 451, that will let users know when pages they are trying to access are unavailable for legal reasons. The new error status code aims to help users differentiate between pages that are unavailable due to technical errors and those that are unavailable due to deliberate government action. [CNET] [The Register] [Washington Post]

Health / Medical

US – 2015: Worst Year for Healthcare Hacks is a Security Wakeup Call

Without a doubt, 2015 was the year of the healthcare megabreach and a major turning point for the sector. Some 56 major hacker attacks affecting a total of nearly 112 million individuals occurred in 2015, according to the Department of Health and Human Services. The largest of these cyberattacks hit health insurer Anthem, affecting nearly 79 million individuals, making it the biggest healthcare breach ever reported to HHS. “2015 was a blaring wake-up call to healthcare entities and their business associates that protected health information of their patients is a bullseye for fraudsters and other cybercriminals as well as nation states eager to steal IDs,” HealthcareInfoSecurity Executive Editor Marianne Kolbasuk McGee says in a year-end audio blog (click here to listen). [Source] [Data Breaches In Healthcare Totaled Over 112 Million Records In 2015] [US: Few Consequences For Health Privacy Law’s Repeat Offenders]

Horror Stories

WW – Hello Kitty User Database Unprotected

A breach of sanriotown.com has exposed the personal information of 3.3 million Hello Kitty users. The database may have been open to intruders for more than a month. The vulnerable database was found by the same person who recently discovered the unprotected MacKeeper database. [The Register] [NBC News] [Wired] See also: [Canadian data breaches in 2015: Big firms weren’t the only targets]

Identity Issues

US –TSA May Stop Accepting Certain State-Issued IDs

The US Department of Homeland Security (DHS) may soon start enforcing the Real ID Act, which requires states to comply with certain federal security standards when issuing identification cards. People from states with non-compliant systems may find themselves unable to board planes or enter federal buildings with their ID cards. Some of the states are not compliant due to active opposition to the law due to privacy concerns or prohibitive costs. [NYTimes] [ArsTechnica] [DHS.gov]

US – One State Has Started Putting Drivers’ Licenses on Smartphones

The Iowa Department of Transportation spent $40,000 on a pilot program to outfit 15 state employees with a “mobile driver’s license,” or mDL. This iOS app displays a virtual license with a rotatable image of the driver’s head after users take a selfie that is verified against their license photo on file. The mDL program is the result of public interest in the technology, which could be offered to more Iowans this year. Caller IDSome proposed benefits seem obvious: Instant updates to addresses and driving records will shorten lines at the DMV, and eliminating physical licenses saves the state production costs. Also, merchants and financial institutions see it as a means of combating fraud. The driver’s license is already the de facto standard for proving identity, so it follows that cash-strapped states would seek to monetize this service. A system in which businesses would use a license-reader app to verify a credit-card customer’s identity might net the state a small transaction fee. Bars and restaurants could similarly deploy apps for age verification. This could also increase privacy for consumers, who would no -longer need to expose personal information printed on a physical license, choosing to share only their photo and proof of legal drinking age. [Source]

Internet / WWW

WW – Video Game Companies Collecting Massive Amounts of Personal Data

Haven’t read the “terms and conditions” on that video game system you got for the holidays? You may want to take a look. With more and more video game companies collecting ever greater amounts of data about their customers, privacy advocates are starting to warn about risks to gamers’ personal privacy — as well as the dangers in normalizing surveillance. [Source]

WW – Privacy-as-a-Service Scatters Data in Disappearing Clouds

When attackers breach through layers of encryption and firewalls, one good way to keep cloud-based data safe is to keep it scattered, in constant motion. Dispel, a start-up focusing on enterprise-grade digital privacy for small to midsize businesses (SMBs) and individuals, offers digital privacy rooted in ephemeral cloud infrastructure. [pcmag.com]

Location

Online Privacy

WW – Spanish Cybersecurity Agency Outlines Web Tracking Techniques

The Spanish National Institute of Cybersecurity (“INCIBE”) issues an overview of techniques used for web tracking of internet users. Techniques include digital fingerprints (from browsers, software, hardware, networks and geolocation), header injections, preferences and patterns of behavior and client-side identifiers (cookies, caches, session identifiers and super cookies). [INCIBE – Web Tracking of Internet Users]

WW – Facebook and Twitter’s User Privacy Efforts Crushed by New Government Legislation

Facebook and Twitter’s attempts to champion user privacy are being undermined by the intelligence community and UK government following new proposals to jail employees who tip off users that their data has been requested. Under the new offense employees of any communication service provider can be jailed for up to two years for informing a user that security services or law enforcement authorities has requested their data. The move hampers ongoing attempts by Facebook, Twitter and several other social network and technology companies to assure members that their information is secure and that they will be told if any government agency is monitoring them. [thedrum.com] See also: [Twitter Revises Policy Banning Threats and Abuse]

WW – Twitter Reverses Stance on Archiving Politicians’ Deleted Tweets

Twitter reached an agreement with two transparency-focused organizations, Sunlight Foundation and the Open State Foundation, that will allow them to resume publishing the deleted tweets of politicians and government officials in the new year. In August, Twitter cut off access to Politwoops, a Sunlight Foundation initiative that published elected officials’ deleted tweets. The technology company said Politwoops violated its developer agreement, which mandates that services with access to Twitter’s servers must not display tweets that users have deleted. [Source] See also: [Twitter vows to wage war on internet trolls]

Other Jurisdictions

CN – China Passes Counterterrorism Law

China’s parliament has passed an anti-terrorism law that requires companies doing business in that country to “provide technical support and assistance, including decryption, to police and national security authorities in prevention and investigation of terrorist activities.” The law is a step back from an earlier draft, which would have required companies to provide the Chinese government with encryption codes. Telecoms and ISPs must verify customer identities, implement information content monitoring systems and provide decryption and other technical support to security bodies conducting anti-terrorism investigations; penalties for failure to comply with these requirements range from CNY 100,000-500,000 (approximately USD 15,500-77,122). [Slate] [Counter-Terrorism Law of the People’s Republic of China] [China counterterrorism law: US cyber privacy advocates express concern] [China’s New Big Brother Law Is A Clone Of The West’s Bad Ideas]

Privacy (US)

US – Technology Will Create New Models for Privacy Regulation: Lessig

In a new interview, Harvard law professor Lawrence Lessig shared his view of the future of privacy in this age of data breaches. “The average cost per user of a data breach is now $240 think of businesses looking at that cost and saying, ‘What if I can find a way to not hold that data, but the value of that data?’ When we do that, our concept of privacy will be different. [WSJ] SEE ALSO: [The Year in Tech Law and Digital Brouhaha, from A to Z: The deals, bills and court cases that garnered headlines in 2015] SEE ALSO [2015 was a tipping point for six technologies that will change the world]

Privacy Enhancing Technologies (PETs)

WW – Microsoft Will Ban Man-in-the-Middle Ad Injection Software

Microsoft will block ad injection software that makes use of man-in-the-middle (MiTM) techniques. The company says it aims “to keep the user in control of their browsing experience.” Microsoft will begin enforcing the changes on March 31, 2016. [ZDNet] [TechNet] See also: [Top Ten Privacy Websites]

Security

WW – 2015 Cybersecurity Market is $75B; Expected to Reach $170B by 2020

Fasten your seat belts. 2016 promises to be a big year for the cybersecurity industry. Following up on October’s report, The Business of Cybersecurity: 2015 Market Size, Cyber Crime, Employment, and Industry Statistics. Part II recaps cybersecurity spending in 2015 and projects market growth over the next five years. Worldwide spending on information security will reach $75 billion for 2015, an increase of 4.7% over 2014, according to the latest forecast from Gartner, Inc. The global cybersecurity market is expected to be worth $170 billion by 2020. The cyber security market is estimated to grow at a compound annual growth rate (CAGR) of 9.8% from 2015 to 2020. According to IDC, the hot areas for growth are security analytics / SIEM (10%); threat intelligence (10% +); mobile security (18​%); and cloud security (50%). The global managed security services market is projected to reach nearly $30 billion by 2020, with a CAGR of 15.8% over the next five years. The global enterprise governance, risk and compliance (GRC) market is expected to grow from $5.8 billion in 2014 to $11.5 billion by 2019, at a CAGR of 14.6% for the period 2014 to 2019. A new cybercrime wave is driving IoT spending, and the Internet of Things (IoT) security market is expected to grow from $6.89 billion in 2015 to nearly $29 billion by 2020. The global IoT security market to grow at a CAGR of nearly 55% over the period 2014-2019. [Forbes]

WW – The Top 16 Security Predictions for 2016

GovTech examined hundreds of expert forecasts for 2016 and beyond, with cyber trends and predicted technology events from top companies, it is hard to be optimistic about our online situation. And yet, the combined predictions tell us an important story about online life. So where is cyberspace heading? What surprises await us? Here’s your annual one-stop roundup of what security experts are telling us will happen next:

1)   Symantec: Symantec leads with attacks on the Internet of Things (IoT) and Apple iOS attacks growing dramatically. An impressive Symantec list of 2016 security predictions overall.

2)   Last December, Raytheon/Websense successfully predicted 2015 health-care concerns in their security predictions overview. This year, Raytheon/Websense leads with predictions about attacker trends (increased abuse of newly created infrastructure), end-user behavior in a post-privacy society and evolving business behaviors as a result of cyberattacks and data breaches — including a surge in cyber insurance.

3)   McAfee (Intel Security): McAfee Labs offer a five-year cybersecurity look ahead in infographic form. They predict a growing attack surface, difficult-to-detect cyberattacks, new device types and much more. They also cover growth in “integrity attacks” where hackers change the data to do harm.

4)   FireEye: FireEye offers a free prediction report on their 2016 webcast which leads with security concerns with Apple devices in 2016 as well as IoT security problems. More sophisticated forms of ransomware attacks. Also, there will be “Increased Attacks on Industrial Control Systems.”

5)   Trend Micro: Trend Micro leads with “2016 will be the year of online extortion.” Second, “At least one consumer-grade smart device failure will be lethal in 2016.” Trend Micro’s presentation of their 2016 security predictions gets them top honors for the best online graphics, clearest presentation, and easiest-to-understand security prediction summary.

6)   Kaspersky: The Kaspersky blog offers a nice narrative of various cyber trends that could lead to major events in 2016, including: “Blackmailing and squeezing money for stolen photos and hacked accounts.” Also car hacks will grow: Culprits probably won’t focus on the systems themselves, but rather on the special protocols, which are implemented to enable communications between cars.

7)   Sophos: Sophos offers their 2016 cybersecurity threat predictions. Like others, they lead with mobile threats rising, IoT platform vulnerabilities and small and medium-size businesses (SMBs) seeing more attacks.

8)   Alert Logic: Alert Logic offers some optimistic 2016 predictions about the cloud — such as: “2016 will be the first year people choose cloud because of the security benefits.” This sets them apart and puts them in the top group.

9)   Network World: Network World’s Jon Oltsik again offers this list, a bit different from other predictions. Leading his 2016 prediction list were: “Greater focus on cyber supply chain security, and the consumerization of authentication.” He also predicted that cyber insurance is set to boom (with others who predicted this).

10) IDC: IDC offers many technology predictions for the CIO Agenda, with #6 By 2016, 70% of IT organizations will shift their focus to advanced ‘contain and control’ security and away from a perimeter mentality. “It’s time for organizations to reframe their security from the old, reactive threat-oriented model to an advanced, proactive, predictive, and integrity-oriented approach,” says Mike Rosen, vice president of research with IDC’s IT Executive Programs (IEP).

11) IBM: IBM offers several intriguing 2016 security predictions. A few include:

  • (More) companies and governments to use block-chain encryption.
  • Cyber intelligence as a service is coming.
  • Vulnerability curators will become prevalent.
  • More data breaches will lead to spikes in cyber-spending.
  • Financial orgs create own fusion centers — leave managed security services.

12) Computer Science Corp. (CSC): CSC’s chief technology officer offers technology trends to watch. Some predictions are on security such as: “As context increases, cybertargets increase.” That is, as data becomes more contextually rich, it becomes more valuable to the enterprise — and to cybercriminals as well.

13) Business Insider offers: “How vulnerable IoT devices are changing the cybersecurity landscape.” This is a deeper look at vulnerable IoT systems:

– Research has repeatedly shown that many IoT device manufacturers and service providers are failing to implement common security measures in their products.

– Hackers could exploit these new devices to conduct data breaches, corporate or government espionage, and damage critical infrastructure like electrical grids.

– Investment in securing IoT devices will increase five-fold over the next five years as adoption of these devices picks up.

14) Forbes Magazine Online: Forbes leads their security prediction list for 2016 with the “leadership over luck theme.” Here’s an excerpt: “Unfortunately in most respects, 2016 won’t change much: users will still click on malicious links; IT will still be bad at patching; the bad guys will still attack; and the tide of misery from breaches will continue. What matters most is whether your organization will be a victim or not. Of course you could do nothing, and be lucky. But the only way to control your fate is to lead your organization to high ground based on a well-considered, security-first strategy. …

15) LogRhythm offers 10 interesting predictions such as: “An uptick in all-in-one home surveillance systems.” We are seeing more motion sensing/camera/recording devices in the home that can be managed through personal devices. This type of technology will continue to expand, and with this expansion, hackers will try to exploit them or cause chaos. Also: A rise in the use of mobile wallet apps. Like having virtual money and an ID in one’s pocket, mobile wallet apps are at the intersection of marketing and payments. And although a mobile wallet is convenient, it is directly tied to one’s mobile phone, which is a critical access vector for cyber threats.

16) Imperva: Imperva has some fascinating and big predictions worth reading, including contractors getting more scrutiny in “Cyber Pat Downs.”

Source: [GovTech] See also: [The weird and wacky of 2015: strange security and privacy stories]

WW – Oracle Reaches Settlement with FTC Over Java SE Security

Oracle, one of the nation’s largest tech companies, is settling federal charges that it misled consumers about the security of its software, which is installed on roughly 850 million computers around the world. The company won’t be paying a fine, and it isn’t admitting to any wrongdoing or fault in its settlement with the FTC. But Oracle will be required to tell consumers explicitly if they have outdated, insecure copies of the software — and to help them remove it. The software, known as Java SE, helps power many of the features consumers expect to see when they browse the Web, from browser-based games to online chatrooms. But security experts say Java is notoriously vulnerable to attack. It has been linked to a staggering array of security flaws that can enable hackers to steal personal information from users, including the login information for people’s financial accounts, the FTC said. [Washington Post]

Surveillance

US – Gov’t Warrantless Collection of Communications is Constitutionally Valid

Jamshid Muhtorov (“Defendant”) moves to dismiss evidence the United States of America (“Plaintiff”) allegedly illegally collected under the FISA Amendments Act of 2008 (“FAA”). In the context of national security, a warrantless search and seizure of electronic communications under the FISA Amendments Act (“FAA”) was reasonable since privacy expectations are diminished as an individual puts more information out into the ether of the global telecommunications network (the controls provided in FISA balance the government’s use of FAA-acquired communications against the individual’s privacy interests). [United States of America v Jamshid Muhtorov and Bakhtiyor Jumaev – Criminal Case No 12-CR-00033-JLK – USDC for the District of Colorado]

EU – Dutch DPA: WiFi Tracking in Stores Conflicts with Data Protection Law

The data protection authority in the Netherlands (“DPA”) investigated Bluetrace, a technology company, for collection of tracking and location data of shoppers and passersby. Measurement data was collected from individuals in shopping malls (mac addresses of mobile phones, signal strength of WiFi, serial number of sensor and timing); data was collected 24 hours a day, 7 days a week and kept indefinitely, individuals could be identified using a combination of the data, and shoppers were not informed about collection. [DPA Netherlands – WiFi Tracking Around Stores in Conflict with the Law]

UK – Hyde Park Visitors Covertly Tracked Via Mobile Phone Data

Visitors to Hyde Park, one of London’s most famous tourist spots, were covertly tracked via their mobile phone signals in a trial undertaken by the Royal Parks to analyse footfall amid drastic funding cuts. Officials were able to retrospectively locate park-goers for 12 months using anonymised mobile phone data provided by the network operator EE via a third party. Aggregated age and gender data was also made available during the initiative. If a zone of the park contained more than 50 people at once, it was possible to “drill down” to the aggregated demographic data of visitors to that area too, creating a detailed picture of how different people used the park in previous months. [The Guardian]

Telecom

US – California’s DMV Puts the Brakes on Self-Driving Cars

The California DMV released its draft guidelines for the deployment of some autonomous vehicles, offering an early window into how regulators will address safety and privacy concerns surrounding the emerging technology. But officials excluded fully self-driving vehicles from their proposal, citing safety concerns. The current draft rules appear to be a barrier to companies interested in offering fleets of fully autonomous vehicles as a ride service in the state. “We’re gravely disappointed that California is already writing a ceiling on the potential for fully self-driving cars,” Google said in a statement. “Safety is our highest priority and primary motivator as we do this.” [Washington Post]

US – Astronaut Tim Peake Calls Wrong Number from Space Station

UK astronaut Tim Peake has apologised for dialing a wrong number from space and saying to a woman on the other end of the line: “Hello, is this planet Earth?” Mr Peake said on Twitter it was not intended to be a “prank call”. [BBC]

US Government Programs

US – Law Student Sues to Overturn New TSA Full-Body Scan Policy

A law student in Miami has asked a federal appeals court to overturn a new Transportation Security Administration policy that could require travelers to use full-body scanners at airport checkpoints even if they opt for a pat-down search. [USA Today]

US – FAA Issues Final Rule for Drone Registration and Marking Requirements

The Federal Aviation Administration (“FAA”) amends Title 14 of the Code of Federal Regulations to implement registration and marking requirements for small unmanned aircraft (“drones”). The interim final rule implements a web-based aircraft registration process for owners of small drones; registrants will receive their Certificate of Aircraft Registration/Proof of Ownership, valid for 3 years, that will include a unique identification number that must be marked on the drone. The normal registration fee is $5, but in an effort to encourage registration, the FAA is waiving this fee for the first 30 days (from December 21, 2015 to January 20, 2016). Comments on this interim final rule are due by January 15, 2016. [FAA – 14 CFR Parts 1_45_47_48_91 and 375 – Interim Final Rule – Registration and Marking Requirements for Small Unmanned Aircraft] [Press Release] [Politico: Drone privacy push could stall out] See also: [FAA drone ban extended 30 miles beyond DC] [The FAA’s rules are clashing with established and more developed rules: NYT] [Here’s how to register your drone with the government] AND [CA – OPP Issues Message for Drone Users]

US Legislation

US – Amendments to GLBA Provides Exemptions to Notice Requirements

Financial Institutions will no longer be required to provide customers with an annual privacy notice provided they meet 2 conditions – they provide non-public personal information (“PI”) about customers to non-affiliated third parties only pursuant to GLBA exceptions permitting such disclosure, and they have not changed its policies and practices relating to disclosure of nonpublic PI from those disclosed in its most recent GLBA privacy notice. H.R. 22, Fixing America’s Surface Transportation Act (“FAST Act”) amends the Gramm-Leach-Bliley Act (“GLBA”) and the Fair Credit Reporting Act (“FCRA”): The Bill was signed by President Obama on December 4, 2015. [Congress Close to Approving Limited GLBA Regulatory Relief – Nathan D Taylor, Partner, Morrison Foerster, LLP]

Workplace Privacy

EU – French Supreme Court Ruled Supervisor Unlawfully Uploaded Employee Personal Data to Intranet Site

An employee’s supervisor’s negligence and system error lead to the unlawful disclosure of an employee’s performance review (the review was posted on the company intranet site rather than the supervisor’s secretary’s inbox) without authorisation from the employee, in contravention of the Personal Data Protection Act. [Laurent X v Francois-Gilles Y – Supreme Court of France – Case No 13-85587]

WW – The Open-Office Trend is Destroying the Workplace

New open floor plans are ideal for maximizing a company’s space while minimizing costs. Bosses love the ability to keep a closer eye on their employees, ensuring clandestine porn-watching, constant social media-browsing and unlimited personal cellphone use isn’t occupying billing hours. But employers are getting a false sense of improved productivity. A 2013 study found that many workers in open offices are frustrated by distractions that lead to poorer work performance. Nearly half of the surveyed workers in open offices said the lack of sound privacy was a significant problem for them and more than 30% complained about the lack of visual privacy. Meanwhile, “ease of interaction” with colleagues — the problem that open offices profess to fix – was cited as a problem by fewer than 10% of workers in any type of office setting. In fact, those with private offices were least likely to identify their ability to communicate with colleagues as an issue. In a previous study, researchers concluded that “the loss of productivity due to noise distraction … was doubled in open-plan offices compared to private offices.” The New Yorker, in a review of research on this nouveau workplace design, determined that the benefits in building camaraderie simply mask the negative effects on work performance. While employees feel like they’re part of a laid-back, innovative enterprise, the environment ultimately damages workers’ attention spans, productivity, creative thinking, and satisfaction. [Washington Post]

+++

 

 

14-20 December 2015

Canada

CA – OPC Warns of ‘Sea Change’ in Privacy Rights in Canada

Federal Privacy Commissioner Daniel Therrien issued his 2014-2015 Annual Report on the Privacy Act, titled “Protecting Personal Information and Public Trust”. In his annual report, Therrien looked at three pieces of legislation that “taken together, these initiatives have resulted in what can only be described as a sea change for privacy rights in Canada.” The first, C-44, allows Canadian spies to operate abroad and gives them more ability to obtain information without disclosing its origins; C-13, which creates new legal authority for cops and public servants to obtain Canadians’ personal data without a warrant; and C-51, the anti-terrorism legislation that opens the door for wide new intelligence-gathering and sharing. The Liberals have said they will change aspects of C-51, but have said little about the other two pieces of legislation. [Vice] [Privacy czar sees middle ground in fight over access to Internet customer info] See also: [No to surveillance: Unions push Liberals to repeal Bill C-51] [Federal government needs to do more to guard against breaches and privacy violations] [Record high number of federal data breaches, says Canada’s privacy commissioner ] [Federal departments reported 256 data breaches in 2014-15] [Privacy watchdog urges Liberals to open ‘exhaustive debate’ on Bill C-51] [Privacy czar urges ‘open debate’ as Trudeau government rethinks terror law]

CA – Supreme Court to Weigh in on the Solicitor-Client Privilege Dispute Between Courts, Privacy Commissioners

As outlined in the April 2015 Blakes Bulletin: Privilege Rules: Solicitor-Client Privilege Held Sacrosanct by Alberta Court of Appeal, the Supreme Court of Canada (SCC) has granted leave to appeal (on October 29, 2015) the Alberta Court of Appeal’s decision in University of Calgary v. JR, where the Alberta Court of Appeal held that Alberta’s Office of the Information and Privacy Commissioner (OIPC) does not have the statutory authority under the Freedom of Information and Protection of Privacy Act (FOIPPA) to order a public body to produce records over which it has asserted solicitor-client privilege. [Blake, Cassels & Graydon LLP, mondaq.com] See also: [Making Private Information Public: The Continued Expansion of Privacy Class Action Liability] [Canadian Businesses Increasingly Face Privacy Breach Class Actions Absent Traditional Forms of Damages]

CA – Nova Scotia Cyberbullying Law Declared Unconstitutional

The Supreme Court of Nova Scotia has declared the province’s cyberbullying law to be unconstitutional, from start to finish. It was passed unanimously by the Nova Scotia legislature in the immediate aftermath of the death of Rehtaeh Parsons. The government of the day – which was heading for an election – was not willing to throw the police and the prosecution service under the bus for no charges being laid, so instead created the appearance of doing something by creating and passing a very poorly executed law. In the process, they trampled on the Charter rights of all Nova Scotians and created a distraction from the important discussion about sexual assault and consent. [Privacy Lawyer] See also: [The “New York Times Magazine” has a good story about swatting, centering around a Canadian teenager who did it over a hundred times]

Consumer

WW – People are Info-Egoists When It Comes to their Privacy: Study

People are much more concerned about sharing their own private information with third-party app developers than they are about revealing their friends’ data, according to Penn State researchers. However, as social media makes data increasingly interconnected, preserving one’s own privacy while ignoring the privacy rights of others may make everybody’s data more vulnerable. “The problem is becoming known as interdependent privacy. The privacy of individual consumers does not only depend on their own decisions, but is also affected by the actions of others.” [Phys.org] Se also: [ComputerWeekly: UK BCS Launches Consultation on Personal Data Exploitation]

E-Mail

CA – B.C. Government Must Strengthen Records Management, Says Report

A report into records mismanagement by the B.C. government has made several sweeping recommendations in advance of legislation that will come into effect next year. In October, B.C. privacy commissioner Elizabeth Denham published a report finding that the provincial government inappropriately deleted emails. The government then appointed former B.C. privacy commissioner David Loukidelis to produce a follow-up report providing detailed recommendations on how it should manage records and handle freedom of information requests. The report was tabled on December 16th. Loukidelis called for reforms within the Ministry’s Information Access Operations (IAO), which is a central body within the B.C. government that processes freedom of information requests to its ministries. This body took over the processing of requests when the government shifted to a centralized model in 2009. In particular, the IAO should be on the lookout for situations where the government cannot meet the standard expected of it, the report suggested. [IT World Canada] [Times Colonist: Make Openness the First Default: Premier Clark said the government accepts all the recommendations]

US – Retailers Improve Unsubscribe Practices, Allowing Consumers to Opt Out

The Online Trust Alliance (OTA), the non-profit with the mission to enhance online trust, revealed today results of its second annual OTA Email Unsubscribe Audit, analyzing which leading e-commerce sites are enabling consumers to easily opt out of email. OTA reported that 75% of the top 200 online retailers (according to the Internet Retailer Top 500 list) have moved beyond basic compliance, demonstrating a commitment to user empowerment and control of their inboxes. These companies have been named to the 2015 Unsubscribe Honor Roll, recognizing excellence in marketing practices. Companies achieved this distinction by scoring 80% or higher on a weighted blend of 12 best practice criteria related to the unsubscribe process and results. Merchants also improved significantly in their honoring of unsubscribe requests. In 2014, 10% of those audited failed to honor unsubscribe requests, while in 2015 the failure rate was less than 2%. Download The Report

Encryption

EU – Paris Terrorists Used No Encryption at All

In the wake of the Paris attack, intelligence officials and sympathizers upset by the Edward Snowden leaks and the spread of encrypted communications have tried to blame Snowden for the terrorists’ ability to keep their plans secret from law enforcement. Yet news emerging from Paris — as well as evidence from a Belgian ISIS raid in January — suggests that the ISIS terror networks involved were communicating in the clear, and that the data on their smartphones was not encrypted. [The Intercept] [TechDirt] [ArsTechnica] SEE ALSO: [Paris attacks blamed on strong cryptography and Edward Snowden] and also: [FBI head: Social media becoming weapon for terrorists [and new word on the San Bernardino shooters] and [Apple CEO defends privacy, encryption amidst terrorist concerns] [Rolling Stone Magazine: Edward Snowden: Clinton’s Call for a ‘Manhattan-Like Project’ Is Terrifying]

EU Developments

EU – EU Officials Reach Agreement on Text of New Privacy Law

After nearly four years of haggling and lobbying, negotiators agreed on a final text of the EU-wide bill, which will replace a patchwork of 28 different sets of national privacy laws, and boost the bloc’s paltry privacy penalties to potentially billions of euros, EU officials said. Under the agreed text, fines would rise to a maximum of 4% of a company’s world-wide revenue. The text, which must be definitively approved by the European Parliament and EU governments before going into effect in two years’ time, is expected to tighten rules for getting online consent and create new responsibilities for cloud-services companies. It is also expected to tightly restrict how analytics and advertising companies can re-use data harvested from individuals, for example after they purchased a product or signed up for a service. The agreement on the law kicks off a new phase of fighting between regulators and companies over how to best tackle the vast amount of personal information that individuals generate when they do anything from visiting a website to walking past a Wi-Fi hot spot. [Wall Street Journal] [Council of the European Union – Proposal for a Regulation of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) – Final Text | Press Release] [EU Data Protection Deal Confirmed: Overview, Next Steps] See also: [The Transatlantic Data War: Europe Fights Back Against the NSA ]

EU – Article 29 Working Party Calls for EU Police Directive to Prohibit Mass Data Transfers to Third Countries

The Article 29 Data Protecting Working Party (the “Working Party”) issued its opinion on the EU Police Directive. Massive, repeated and structured transfers of personal data to third countries authorities should be prohibited; exceptions should be justified and limited to what is strictly necessary. There should be a general obligation to notify a data breach to the DPA, and notification to data subjects should be distinguished by their categorization (e.g. victims, witnesses, etc.) [Opinion 03/2015 on the draft directive on the protection of individuals with regard to the processing of personal data by competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and the free movement of such data – Working Paper 233]

UK – Committee Seeks Input on Draft Investigatory Powers Bill

The Joint Committee on the Draft Investigatory Powers Bill was appointed by the two Houses of Parliament in the UK to explore key issues raised by the proposed legislation. The committee sought input from “interested individuals and organisations.” Written evidence will be accepted through December 21, 2015. [BCS] [UK Parliament] [Police could hack any device, even toys, under UK surveillance draft bill] [Written Evidence Regarding Investigatory Powers Bill – Andrews & Arnold Ltd and FireBrick Ltd: Investigatory Powers Bill Overstates Usefulness of Internet Connection Records]

Facts & Stats

US – More Than 11 Million Victims of Healthcare Breaches in 2015

The U.S. Department of Health and Human Services found that 55 healthcare organizations were the victims of breaches and hacks in 2015, with a total of 11,802,842 affected individuals. “The sheer amount of victims shows that the healthcare industry needs to step up its security game,” the report states. “If the healthcare industry doesn’t want to become the first one to have the dubious distinction of having a fatal victim, and doesn’t want to keep losing private data, it better start taking security seriously. The numbers don’t lie,” it continues. [Motherboard] See also: [University Pays $750,000 Penalty for Security Breach and Failure to Conduct Risk Assessment of e-PHI: HHS – Resolution Agreement – University of Washington] [Modern Healthcare]

Filtering

EU – Germany: Web Giants Pledge to Delete Hate Speech in 24 Hours

Facebook, Google and Twitter have agreed to delete hate speech deemed illegal in Germany within 24 hours. The move follows pressure from German authorities concerned about the increasing volume of racist abuse being posted on social networking sites. [AP] [German Supreme Court rules in favor of blocking websites]

CN – China Seeks Internet Regulation; Activists Warn of Threat to Speech

Chinese President Xi Jinping called for governments to cooperate in regulating Internet use, stepping up efforts to promote controls that activists complain stifle free expression. Xi’s government operates extensive Internet monitoring and censorship and has tightened controls since he came to power in 2013. [USNews] See also: [The Star: China Prepares to Rank Its Citizens — One By One]

Health / Medical

EU – Digital Health Plans Will Give Patients Online Access and Control Over Medical Records

NHS patients in Wales will be able to access their medical records online, supplement that information and share it with others under plans announced by the Welsh government. The Welsh government said people in Wales will “routinely use digital apps, wearable devices and other online resources to be well-informed and active participants in their care” under its plans. They will also be able to book appointments and order repeat prescriptions via online systems as well as “use the internet, email and video conferencing to connect with clinicians and care professionals in a way that suits them”. The Welsh government said that technology would also be used to ensure patients receive digital prompts, such as reminders about forthcoming appointments or to take medication or exercise. [Source] See also: [The price of wearable craze: Personal health data hacks: Your personal health information is about 10 times more valuable than a stolen credit card number on the black market]

US – Non-Healthcare Companies Have Exposed PHI in Breaches: Study

According to a study from Verizon, nearly 20% of breaches involving healthcare information are not detected for at least one year. This is due in part to the fact that some organizations outside the healthcare sector are unaware that they have healthcare data stored in their systems. 20% of healthcare breaches of health records involved privilege abuse. [Dark Reading] [The Register]

WW – Healthcare Pros Lack Confidence in Sharing Anonymized Data: Study

A Privacy Analytics and Electronic Health Information Laboratory survey of 271 healthcare professionals found that many organizations that share health data for “secondary purposes” are unsure that the data they are sharing is adequately anonymized, yet 56% are still planning to increase their 2016 sharing, Health Data Management reports. “The question is what is acceptable risk and how do you manage it,” said Privacy Analytics CEO Khaled El Emam. “We’ve seen some very large and complex data sets. And, to de-identify that, you really need some sophisticated techniques. There are good practices for de-identification and there are poor practices for de-identification,” he continued. [Health Data Manaagement] See also: Also See: New Guidance, Processes for De-Identifying Healthcare Data]

Horror Stories

WW – MacKeeper Exposes Personal Data of 13 Million Users

The company that makes MacKeeper has acknowledged a breach that exposed usernames, passwords, and other data for 13 million customers. Someone found the data while “searching for database servers that require no authentication and are open to external connections.” That person notified MacKeeper maker Kromtech; the company quickly blocked public access to the databases. [Krebs] [CNET]

Identity Issues

WW – Community Support FYI: Improving the Names Process on Facebook

Facebook will begin to test new tools that address two key goals. First, they want to reduce the number of people who are asked to verify their name on Facebook when they are already using the name people know them by. Second, they want to make it easier for people to confirm their name if necessary. These tools have been built based on many conversations with community leaders and safety organizations around the world. [Source]

Law Enforcement

CA – The Cellphone Spyware the Police Don’t Want to Acknowledge

The RCMP and the OPP have both declined to tell the Star if they use International Mobile Subscriber Identity (IMSI) catchers – also known as “stingrays” – because they say giving out that information could interfere with their investigations. Stingrays electronically mimic cellphone towers, and trick cellphones within their range into connecting to them. Once a phone makes the connection, the stingray can grab data from it – including phone numbers, texts, phone calls and websites visited – in real time. Ontario Privacy Commissioner Brian Beamish said the technology, which has a range of several kilometres, casts a wide net that doesn’t distinguish between suspects in criminal cases and ordinary citizens. “It’s potentially so intrusive in terms of the amount of information it can gather, not only about a target but about other people as well, people that aren’t under suspicion,” Beamish said. [Source]

Privacy (US)

US – Congress Passes the Cybersecurity Act of 2015

The Cybersecurity Act of 2015 (the “Act”) was passed by Congress this week as part of the 2016 omnibus spending package. The Act is very similar to the Cybersecurity Information Sharing Act (“CISA,” S. 754), which passed the Senate on October 27 and was the subject of a previous analysis, although there are some important differences which we highlight below. If enacted into law by the President as part of the spending package, the Act would, among other things, establish a voluntary framework for the sharing of cybersecurity threat information between and among the federal government, state governments, and private entities. [Overview at Inside Privacy]

Security

US – NIST Outlines Methods for Protecting Data from Cyber Attacks

The threat of ransomware is one of three example scenarios highlighted in a recent white paper released by the National Institute of Standards and Technology (NIST), titled Data Integrity: Reducing the Impact of an Attack. The paper launches a joint project led by the National Cybersecurity Center of Excellence (NCCoE), with participation by the Financial Services Information Sharing and Analysis Center (FS-ISAC) and several private sector organizations. [HLDA]

US – False Sense of Confidence Over Data Security: Report

Overall, the report finds that many retailers have a false sense of confidence when it comes to protecting their organization’s – and consumer – sensitive data. A majority of retailers indicated they believe they are doing a good job with IT security efforts, but the study shows “gaping holes in their security programs such as sharing login credentials among multiple employees and not knowing if sensitive data is being leaked. [Source]

Surveillance

EU – Few Time Limits on Deployments of CCTV Systems: Study

Video surveillance, first introduced in France, Italy and the UK by private sector, is heavily used by law enforcement for security purposes; there are few limits in regards to how long such systems may be deployed – 5 years in France (and renewable for 4-month periods if there is a risk of terrorism), and no time limit in Italy or the UK. [The Use of Surveillance Technologies for the Prevention Investigation and Prosecution of Serious Crime – Céline C. Cocq and Francesca Galli, European University Institute]

UK – UK Spy Agency Admits Hacking Phones and Computers Without Warrants

GCHQ admitted for the first time in court that it engages in computer hacking. Previously it had refused to confirm or deny whether it had such capabilities. In 2013, 20% of GCHQ intelligence reports were based on information from hacking, the tribunal heard. That proportion is likely to have increased since then, as the use of encryption has made it more difficult to listen in on communications. Ben Jaffey, counsel for Privacy International, told the IPT, “GCHQ undertakes ‘persistent’ CNE operations where an implant ‘resides’ in a targeted computer for an extended period to transmit information or ‘non-persistent operations’ where an implant expires at the end of a user’s internet session.” [Source]

US – Make Sure Santa Registers Your Drone, FAA Warns

The Federal Aviation Administration (FAA) announced that new drones must be properly registered with a registration number visibly marked before they take to the skies. “Registration provides us with an opportunity to educate unmanned aircraft users about how to operate safely,” said FAA Deputy Administrator Michael Whitaker. “It will also create accountability, so when a drone is located that has been flying improperly we’ll be able to locate the owner,” he said. “There’s nothing that would require an enforcement action if we just get someone to do what they’re supposed to do.” [Washington Post] See also: [I Read the FAA’s 211 Page Drone Registration Regulation So You Don’t Have to] and [Privacy Nightmare: Own a Drone? FAA Wants Your Credit Card Number] and [FAA Finally Admits Names and Home Addresses In Drone Registry Will Be Publicly Available]

Telecom / TV

CA – CRTC Executes First Inspection Warrant for Suspected Violations of the Unsolicited Telecommunications Rules

The CRTC has executed its first warrant in relation to a telemarketing investigation, which allows it to enter and inspect a property in Ontario; the company is alleged to be making unauthorized calls to Canadians for the purpose of selling anti-virus software to numbers registered on the National Do Not Call List. [Canadian Radio-television and Telecommunications Commission – CRTC Executes First Inspection Warrant as Part of Telemarketing Investigation]

US Government Programs

WW – ISIS Releases PII of Government Officials; DHS Screening Scrutinized

Supporters of the Islamic State (ISIS) have allegedly released the personal information of several U.S. and French officials, CSM Passcode reports. Though not yet verified by the U.S. government, Twitter accounts tied to ISIS released the home addresses of some ex-State Department and CIA officials, as well as names and emails tied to officials from the French Ministry of Defense. Meanwhile, the State Department said, “obviously things went wrong” in the visa background checks of suspected San Bernardino shooter, Tashfeen Malik. At issue is a secret policy of the Department of Homeland Security that prevents officials from checking applicants’ social media postings as part of the screening process. According to the report, Obama administration officials had implemented the program out of fear of a civil liberties backlash. [CS Monitor]

US Legislation

US – CISA Buried in Omnibus Bill

A version of the Cybersecurity Information Sharing Act (CISA) with most privacy protections eliminated has been incorporated into the omnibus bill, which is likely to pass as the bill comprises a large portion of funding for the federal government. As currently amended, CISA no longer requires companies to anonymize data they turn over to the government, and it broadens the scope of purposes for which the government may use the data. [WIRED] [The Register] [TechDirt] See also: [Congress Adds ‘CISA’ To ‘Omnibus’ Budget Bill, Up To President Obama To Veto] [Ryan Urged to Leave Cyber Threat Sharing Bill Out of Omnibus] [OmniCISA Pits DHS Against the FCC and FTC on User Privacy] [Government privacy watchdog set to lose power to examine covert action]

US – “Do Not Track” Bill Lets Consumers Just Say No to Online Tracking

Sens. Richard Blumenthal (CT) and Ed Markey (MA) introduced the Do Not Track Online Act of 2015 [PDF], which would direct the FTC to create new regulations “regarding the collection and use of personal information obtained by tracking the online activity of an individual.” If the bill passes, the FTC would have a year to establish standards for implementing a simple and easy-to-use Do Not Track mechanism for consumers to indicate that their personal information should not be collected while surfing the web. The FTC would also create a rule prohibiting providers from collecting the personal information of individuals who have used the Do Not Track mechanism. [Source]

 

+++

 

06-13 December 2015

Big Data

WW – No, “Big Data” Can’t Predict the Future

The Bing teams are learning a lesson only Austrians and, more specifically, Misesian praxeologists, seem to be alone in grasping: that there are no constants in human action, and therefore that predictions of social phenomena are impossible. Pattern predictions, as Hayek called them, may not be impossible, but predictions of exact magnitudes are. For instance, we can rely on economic law (such as “demand curves slope downward”) to estimate an outcome such as “the price will be lower than it otherwise would have been,” but we can’t say exactly what that price will be. [Source]

HK – Hong Kong DPA Requires Data Subject Consent and DPA Authorization When Using Matching Procedures

The Privacy Commissioner for Personal Data (“PCPD”) issues guidance on matching procedures. Matching procedures cannot be carried out unless consent has been received from data subjects (voluntary express consent) and authorisation has been obtained from the DPA; the personal data collected for the procedure cannot be used for a new purpose (directly related or any other purpose) unless data subjects have given express consent. [PCPD Hong Kong – Information Leaflet – Matching Procedure – Some Common Questions]

Canada

CA – OPC Tables 2014-2015 Annual Report on Privacy Act

The Office of the Privacy Commissioner (OPC) of Canada’s 2014-2015 Privacy Act annual report was tabled by Parliament. Privacy Commissioner Daniel Therrien said the number of complaints to the OPC increased slightly during the fiscal year, totaling at 3,977. Therrien has identified four strategic privacy priorities for the next five years, including: the economics of personal information; reputation and privacy; government surveillance, and the body as information. [OPC Press Release] [Federal Government Must Do More to Prevent Breaches] [Globe&Mail: Therrien Wants “Exhaustive Debate” on Bill C-51]

CA – Alberta OIPC Annual Report: Breaches Doubled This Year

Alberta Privacy Commissioner Jill Clayton says she’s alarmed by a near doubling of privacy breaches as well as concerned about “the growing number of court challenges of her investigations.” In her annual report, Clayton said the number of self-reported breaches is up 86% this year compared with the last. Breaches reported include information contained on mobile devices that is not encrypted as well as snoopers spying on family, friends and neighbors. Clayton also said government challenges to her cases are costing taxpayers money and delaying results. [Calgary Herald] See also [A BC Information and Privacy Commissioner adjudicator said government bureaucrats have the right to refuse to disclose email logs and also that it’s unreasonable to release the data with personal information redacted.]

CA – Section 30.1 of BC Privacy Law “Hampering Innovations”

The trend toward storing data on servers anywhere and everywhere, rather than on drives kept physically on site, runs directly into a BC privacy law. It was written 11 years ago to safeguard against U.S. snooping that was allowed by the far-reaching USA Patriot Act. It gets reviewed every 5 years by a committee. Another review is underway, and members have heard an earful recently about how that privacy safeguard — Section 30.1 — hampers public agencies trying to do business in the interconnected world. “It erodes our competitiveness. It’s preventing us from using world-class tools that other universities use in other jurisdictions. It’s adding costs and administrative complexity” says University of B.C. lawyer Paul Hancock (who was representing the four research universities). The College of Registered Nurses has also weighed in on the question of why private bodies routinely handle B.C. citizens’ personal information outside of Canada, but public bodies are forbidden from doing so. [The Victoria Times Colonist]

CA – Ontario’s Bill 113 Passed, What Now?

Timothy Banks provides an overview of concerns about the Ontario Police Records Checks Reform Act, 2015. The Ontario legislature passed the bill last week, but prior to that the Standing Committee heard concerns from stakeholders including the Association of Children’s Aid Societies, the National Association of Professional Background Screeners, the Ontario Nonprofit Network and the Civil Liberties Association. Banks offers an overview of those concerns, where they landed and what the government needs to do to make the law operational. [Full Story] [Ontario Breach Notification Bill Gains Traction]

CA – Trudeau Government Omits Bill C-51 in Maiden Throne Speech

The Throne Speech does not specifically reiterate Trudeau’s vow to repeal or amend controversial provisions in anti-terrorism legislation passed by the previous Conservative government. Among other things, Trudeau has promised to create a multi-party parliamentary oversight committee to monitor the activities of departments and agencies with responsibility for national security. He has also promised to amend the legislation so that it’s clear that legal protests or advocacy can’t be construed as terrorist activities. In what is likely meant to be an indirect reference to those promises, the throne speech says only that “the government will continue to work to keep all Canadians safe, while at the same time protecting our cherished rights and freedoms.” [National Post] See also: [Why nobody should bet on Trudeau ‘fixing’ C-51]

Consumer

WW – Google Responds to EFF Complaint About Student Data Privacy

“The facts about student data privacy in Google Apps for Education and Chromebooks” responds to the Electronic Frontier Foundation (EFF) complaint regarding Google Apps for Education (GAFE) and other products and services especially Chrome Sync. “While we appreciate the EFF’s focus on student data privacy, we are confident that our tools comply with both the law and our promises, including the Student Privacy Pledge, which we signed earlier this year. …I want to reiterate some important facts about how our products work, how we keep students’ data private and secure, and our commitment to schools, more broadly… [Google Apps Blog]

US – 64% of Shoppers Will Say Bye Bye to Breached Business

Gemalto’s newest global survey entitled “Broken Trust: ‘Tis the Season to Be Wary,” found that 64% of respondents felt they were “unlikely to shop or do business again with a company that had experienced a breach where financial information was stolen,” with 49% feeling that way regarding the loss of their personal information. “The media coverage of massive data breaches has done little to instill consumers’ confidence in how well companies, big and small, are protecting their data,” said Gemalto. “Either companies need to increase their security measures or, assuming that they already have these in place, they need to communicate this to their customers.” [Dark Reading]

WW – License Plate Readers Enter the Mainstream

OpenALPR boasts a cheap license plate reader (LPR) that interested shoppers can purchase online, and privacy advocates agree that the practice is legal. “There is not much in the law that would prevent someone from using the technology unless its use rises to the level of stalking or harassment,” said the Electronic Frontier Foundation. “License plates are exposed to public view, and ALPR companies like Vigilant consistently argue they have a First Amendment right to photograph plates and retain the data they collect.” [Ars Technica]

Electronic Records

US – How Electronic Health Records Are Harming Patients

EHRs are designed to support billing more than patient care, experts say. It shouldn’t come as a surprise that most doctors are unhappy with their electronic health record (EHR) systems, which tend to be clunky, hard to use and may actually get in the way of truly excellent patient care. Doctors’ biggest complaint about the EHR is that it slows them down, especially in the documentation phase. “Compared to handwriting or dictating, EHRs take doctors 9 times longer to enter the data… Sure, you have more information in the EHR than in paper records, but it takes more time.” Other alerts go off to prevent adverse drug interactions with other medications, allergies, or foods. Many of these are inapplicable to particular patients, and after a while, doctors may stop paying attention to them or turn them off. Three quarters of EHRs don’t allow the customization of these alerts. [Source]

Encryption

US – Comey Calls on Tech Companies Offering End-to-End Encryption to Reconsider “Their Business Model”

Comey and other government representatives have been pressuring companies like Apple and Google for many months in public hearings to find a way to provide law enforcement access to decrypted communications whenever there’s a lawful request. Deputy Attorney General Sally Quillian Yates said in a July hearing that some sort of mandate or legislation “may ultimately be necessary” to compel companies to comply, but insisted that wasn’t the DOJ’s desire. Now, there’s little pussyfooting about it. “There are plenty of companies today that provide secure services to their customers and still comply with court orders,” he said. “There are plenty of folks who make good phones who are able to unlock them in response to a court order. In fact, the makers of phones that today can’t be unlocked, a year ago they could be unlocked.” [The Intercept] SEE ALSO: [Senator Feinstein Working on Legislation to ‘Pierce’ Encryption] and [Don’t breach encryption warns privacy watcher] [How not to report on the encryption ‘debate’ ]and [Advocates and White House Officials Meet To Discuss Encryption Backdoors]

EU Developments

EU – First-Ever Breach Notification Law Passed in the EU

The European Union agreed to its first cybersecurity law, dubbed the Network and Information Security Directive (NISD), which mandates certain companies, like those operating critical infrastructure or financial services, along with Internet companies such as Amazon and Google, to report large-scale security incidents. “The internet knows no border—a problem in one country can have a knock-on effect in the rest of Europe,” said the European Commission’s Digital Chief, Andrus Ansip. “This is why we need EU-wide cybersecurity solutions. This agreement is an important step in this direction,” he added. “Member states will have to cooperate more on cybersecurity, which is even more important in light of the current security situation in Europe,” said European Parliament’s Rapporteur Andreas Schwab in a Computer Weekly report. [Reuters] [Hogan Lovells Summary: Agreement Reached on First EU-Wide Rules to Improve Cybersecurity]

A EU Parliament press release reports that the rapporteur on the general data protection regulation, Philipp Albrecht, is optimistic that the three-way trilogue discussions will result in a final deal by the end of 2015. Learn more

The European Data Protection Supervisor (“EDPS”) has established an external advisory group on the ethical dimensions of data protection; members of the Advisory Group will be appointed for a term from February 1, 2016 till January 31, 2018. Learn more

Facts & Stats

CA – City of Toronto Says You Need Permission to Photograph Your Own Kids in a Park or Outdoor Rink

A Star editor was not happy to be told on a trip to Colonel Sam Smith Skating Rink with his kids that he was allowed to take photos. The city says he technically needs permission, but staff are supposed to use discretion. Since at least 2001, the City of Toronto has had a policy stating:” Patrons wishing to use cameras, video cameras or other photographic devices, including camera phones and PDAs (Personal Digital Assistants), in any program or facility must receive permission from staff before filming. Pictures may only be taken of children/patrons in their personal care. Every attempt should be made to limit or eliminate other patrons from being filmed in the background. When possible staff should make a verbal request for permission to photograph other patrons who may be in the area where pictures are being taken” [Source]

Finance

WW – Data Privacy Concerns Hinder Mobile Payment Adoption

Identity theft, payment fraud and data privacy concerns remain the biggest barriers to mass adoption of mobile payment services, according to an Inside Secure survey of 1,217 American consumers. The survey revealed that 17% of respondents who did not make holiday purchases with their mobile phone last year, plan to use a payment service such as Apple Pay, Android Pay, Samsung Pay or a proprietary service from their bank or card issuer to make the leap to mobile payments this holiday season. Seventy percent of people who are not planning to use their smartphone to make in-store holiday purchases state that their concerns about identity theft prevent them from using in-store mobile payment applications. 70% state that their concerns about mobile payment fraud prevent them from using in-store mobile payment apps, and 71% stated that the privacy of their transaction data was a top concern.

FOI

UK – ICO Warns of Return to the ‘Dark Ages’ Upon Launches of FOI Review

The Information Commissioner’s Office praised the work of journalists and said the introduction of flat rate fees would be “disproportionate”. On protection given to “internal deliberations of public bodies”, the ICO said current exemptions under section 35 and 36 of the act are “sufficient”. Graham said: “The danger is that the Whitehall machine might run more smoothly, [but] you are back to that world of private government – which I just don’t think fits with the 21st century.” He also suggested Whitehall’s “concern” over the FoI Act is “slightly overdone”, saying a “very small minority” of cases that come to his office result in defeats for the Government. [Source]

Health / Medical

AB – Alberta OIPC Report Finds Health Department Flouts Privacy Law

The Alberta Office of the Information and Privacy Commissioner released an investigation report that found Alberta Health has failed to provide the required oversight to prevent privacy breaches involving electronic health records. The report found a legally-mandated committee charged with overseeing stewardship of data made available through Netcare was effectively disbanded two years ago. Netcare contains millions of records – including lab results, drug prescriptions and hospital discharge summaries – that can be accessed electronically by over 44,000 registered users in health care facilities and doctors offices around the province. [Source]

US – OCR’s Enforcement Efforts Focus on Big Breaches Over Small

Smaller healthcare breaches, like revealing Facebook statuses by doctors or the inappropriate sharing of patient files, rarely get the Office for Civil Rights’ (OCR) focused attention and enforcement efforts that large-scale breaches do. “Health providers are required to notify the office within 60 days of breaches affecting at least 500 people and also must share details with the media and contact those potentially affected.” “Rarely do small privacy breaches get anywhere near the same attention, except when they involve celebrities or high-profile individuals.” Tthis September, the Health and Human Services’ “inspector general issued a pair of reports that criticized [the OCR], including its handling of small breaches,” which found that the “OCR did not investigate the small breaches reported to it or log them in its tracking system.” [NPR]

WW – Survey: Healthcare Pros Unsure Data Sharing, Privacy Can be Reconciled

A Privacy Analytics survey of 271 healthcare professionals determined that more than two thirds of respondents lack confidence in their organizations to share data while protecting privacy. “Confidence in protecting privacy is correlated to an organization’s data management practices,” the survey states. “Respondents whose organizations use de-identification software or third-party de-identification services are more likely to have complete confidence in the ability to responsibly share data for secondary use.” Meanwhile, a CIO Summit survey discovered that “board and leadership involvement is essential in creating the right solutions and strategies for healthcare organizations.” [HealthITSecurity]

WW – OTA Releases Checklist on Smart Device Safety

The Online Trust Alliance (OTA) has released a checklist aiming to help consumers avoid getting hacked as they use any of the 50 million smart devices that will be sold over the holiday season.” That’s 50 million opportunities for data and home network compromises as well as privacy abuses, which is why it’s imperative that consumers follow our guidelines,” said OTA executive director and president. “Consumers should not have to pay twice—once with their credit card and then again in perpetuity with their personal data, identity and safety.” The checklist can be found here. [NetworkedWorld]

WW – Mental Health Apps on the Rise, But What About Privacy?

Scientific American reports on the increase in mental healthcare apps and the privacy concerns that come along with such sensitive data collection. New mobile devices help users diagnose and monitor mental health symptoms, but in order to do so, such technology needs to passively gather constant streams of personal data—including sleep patterns and physical activity. In addition to an alleged lack of evidence-based research proving mental health apps are working, there is also concern that privacy is not appropriately protected. A task force set up earlier this year by the American Psychiatric Association noted, “This is a challenging task given the lack of clinical data on how apps can help or harm patients, serious concerns about privacy and data security and the need for more discussion on related ethical issues.” [Scientific American] In 2013, a study in the JMIR mHealth uHealth, revealed that only five apps targeting depression, anxiety and substance abuse had been tested for clinical effectiveness. A similar study this May in Internet Interventions showed that by last November there were only 10 peer-reviewed published articles for depression apps, and four for bipolar disorder.

Horror Stories

US – University Medical Center Agrees to Pay $15,000 for Breach of Patient Information

An employee of the center provided a list of patient information (names, addresses and diagnoses) to her future employer. The agreement requires the center to provide to the Attorney General its privacy, security and breach notification policies and procedures and notification of any breach of unsecured PHI; all staff must be trained on any new or revised policies and procedures. [New York State Office of the Attorney General – A.G. Schneiderman Announces Settlement With University Of Rochester To Prevent Future Patient Privacy Breaches | Press Release | Settlement Agreement]

US – Moms Sue Mattel Over Talking Barbie

Two mothers have filed a class-action against Mattel claiming the company’s Hello Barbie doll “invades children’s privacy.” The doll uses speech recognition software to talk to kids and then stores the conversations in the cloud, the report states. Users must register the doll and create an account, at which point parents receive an e-mail stating recordings won’t be used for ads and any personal information collected in conversation will be deleted. The plaintiffs say the doll doesn’t comply with the Children’s Online Privacy Protection Act (COPPA) in part because children across the country, friends of doll-owners, have been recorded without their parents’ permission. [Full Story]

Internet / WWW

WW – Support for Old Internet Explorer Sunsets

After January 12, 2016, Microsoft will no longer provide updates for older versions of Internet Explorer (IE). One estimate suggests that as many as 124 million users are running Internet Explorer versions 10 and earlier. The only version of IE that will continue to receive updates after January 12, 2016 is IE 11. [Microsoft] [ZDNet]

WW – Windows XP Embedded Extended Support Expires Next Month

Microsoft is scheduled to end Extended Support Windows XP Embedded, which is still running on many of the UK’s 70,000 cash machines. ATM owners are urged to upgrade their systems prior to January 12, 2016, after which time Microsoft will no longer provide updates. [v3.co.uk]

Privacy (US)

WW – Top Privacy Stories for 2016: US-EU Transfers, Cybersecurity, and Government Surveillance

Organisations should monitor the following topics in 2016 – Safe harbor 2.0 (may depend on the outcome of the Judicial Redress Bill which is currently before the Senate) and the Network Information Security Directive (“NISD”) which is to be published in 2016 by the European Commission (it will require organisations to take appropriate technical and organisational measures to manage risks posed to the security of networks and report “significant cyber security incidents” to regulators). [Source]

US – Multinational Hotel Chain Must Maintain Detailed Security and Audit Program as Part of 20-Year Settlement Agreement with FTC

The FTC is granted an injunction against Wyndham Hotel Group in relation to alleged unfair and deceptive security practices in violation of the FTC Act. The FTC had filed a lawsuit against Wyndham in 2012 alleging unfair acts or practices related to a security breach. The chain is required to implement and maintain a comprehensive security program (e.g. appointing an individual(s) responsible for the program and conducting risk assessments); a written assessment of the chain’s compliance with the approved standard (defined as PCI DSS or a comparable standard submitted by the chain and approved by the FTC) must be conducted by a qualified and independent third party assessor annually, and within 180 days of a breach of more than 10,000 unique payment card numbers. [FTC v. Wyndham Worldwide Corporation, et al. – Stipulated Order for Injunction – United States District Court For The District Of New Jersey]

US – FTC Explains How Their Enforcement Practices Differ from the FCC

The FCC reclassified broadband as a Title II common carrier service and as a result, the FTC’s jurisdiction over ISP practices is limited; the FTC is concerned that what appears to be a “strict liability” data security standard will actually harm consumers since the costs imposed by a regulator on a legitimate, non-fraudulent company are ultimately born by its consumers (a recent Order by FCC fined an ISP $595,000 when there was no evidence of any consumer harm). [Source]

US – Class Action Lawsuit Alleges Smart TV Manufacturer’s Tracking Software Surreptitiously Collects and Discloses Users’ Viewing Habits

A class action lawsuit filed against Vizio, a smart TV manufacturer, and Cognitive Media Networks, a tracking technology company, (collectively, the “Defendants”) alleges violations of the Video Privacy Protection Act (“VPPA”) and various California laws. [Palma Reed et al. v. Cognitive Media Networks, Inc. and Vizio, Inc. – Class Action Complaint and Demand for Jury Trial – In the United States Court For The Northern District Of California San Francisco Division]

US – Advocacy Group Says All Drones Should be Registered and All Operating Drones Should Have GPS Tracking

An advocacy group submits comments in response to the Federal Aviation Administration (“FAA”)’s request for public comments on drone registration requirements. The FAA should mandate registration for all drones (regardless of size) and require any drone operating in national airspace to include a GPS tracking feature that would always broadcast the owner identifying information; the registration database of commercial operators should be publicly available, but privacy protections should be implemented for hobbyist operators (restricting the use and release of their information for specific purposes).[Comments to the U.S. Department of Transportation, Federal Aviation Administration – Clarification of the Applicability of Aircraft Registration Requirements for Unmanned Aircraft Systems (UAS) and Request for Information Regarding Electronic Registration for UAS – Electronic Privacy Information Center]

Privacy Enhancing Technologies (PETs)

WW – New Privacy-as-a-Service Cloud Tech Unveiled

New technology released this week purports to protect the privacy of users by providing “invisible connections and invisible computers.” Dispel CEO said “We have built an engine that allows us to dynamically generate unattributable, encrypted and ephemeral infrastructure using multiple cloud providers.” The system connects a user’s device to Dispel’s network in a way that does not reveal the user’s identity, location or content. “We are a totally new proprietary technology …There are no fixed network targets and nothing is publicly listed, so users don’t need to trust a random stranger.” [eWeek]

WW – File-Sharing Data in the Cloud Sheds Privacy Light

Cloud provider Skyhigh took stock of 500 companies it serves, finding that 39% of cloud-sent “corporate data” finds its way to file-sharing applications. However, “worryingly from a data security perspective, the average organization shares documents with 826 external domains, which includes business partners and personal email addresses,” the report states, adding that 9.2% of data shared externally includes delicate information. “While there are a lot of numbers in here, there are some patterns that will either be of concern (if you’re a security-conscious CIO within a highly regulated industry) or positive (if you’re involved with a cloud file sharing solution provider),” the report continues. “Either way, surfacing this sort of data helps everyone plan and react to what is going to be a continuing pattern of use.” [Computerworld]

RFID / Internet of Things

CA – Canadian Regulation Should Accord with International Approaches

A law firm discusses the regulation of and the Canadian approach to the Internet of Things (“IoT”). Regulations that are not in line with international approaches can lead to increased regulatory compliance costs to enter the Canadian market and increased barriers to Canadian companies entering global markets; suggested practices issued by the US FTC include data minimization, prioritization of building security into devices, adequately training employees, monitoring devices and reporting security breaches to consumers. [The Internet of Things – Guidance Regulation and the Canadian Approach – Kirsten Thompson and Brandon Mattalo – McCarthy Tetrault]

Security

WW – Majority of 2015 Breaches Due to Employee Error: Global Survey

A cybersecurity report released by the Association of Corporate Counsel has found the most common reason for a data breach at companies is employee error. The report surveyed more than 1,000 in-house lawyers in 30 countries and found 30% of breaches in 2015 were the result of employee error,. Other causes included unauthorized access to data by insiders and phishing attacks. 50% said their company has cyber insurance, with 68% reporting coverage of $1 million or more. [Wall Street Journal]

WW – Ransom Paid By Police and Law Firms to Hackers: Expert

The president of the Privacy and Access Council of Canada says it’s not just individuals and small businesses who are shelling out to hackers who infect their computers with viruses. “Police departments and law firms are very, very attractive targets and they pay quite often,” said Sharon Polsky, a Calgary data protection and privacy expert. “If it’s worth it to them to regain control of their information, absolutely they’re going to pay it,” she said. [CBC]

Surveillance

US – FBI Official Says the Agency Uses Zero-Days, StingRays

FBI executive assistant director for science and technology Amy Hess acknowledged that her agency uses zero-day vulnerabilities in the course of its investigations. Hess also said that the FBI has never issued a gag order to police regarding the use of cell-site simulator technology, often referred to as StingRay. What the FBI does not want disclosed are the “engineering schematics,” or technical details about how the device works. [Washington Post] [ArsTechnica] SEE ALSO: [Feds Ordered to Disclose Data About Wiretap Backdoors] [Judge prods FBI over future Internet surveillance plans]

US – Federal Judge Orders Justic Department to Disclose Wiretap Program Info

A federal judge is ordering the Justice Department to disclose more information about its so-called “Going Dark” program, an initiative to extend its ability to wiretap virtually all forms of electronic communications. The ruling by U.S. District Judge Richard Seeborg of San Francisco concerns the Communications Assistance for Law Enforcement Act, or CALEA.

UK – UK’s Surveillance Camera Commissioner Issues First Annual Report

Report deals with video surveillance cameras, body worn cameras, Automated Number Plate Recognition. [Report]

WW – U.N. Calls for ‘Anti-Terror’ Internet Surveillance

A United Nations report calls calls for Internet surveillance, saying lack of “internationally agreed framework for retention of data” is a problem, as are open Wi-Fi networks in airports, cafes, and libraries. The United Nations is calling for more surveillance of Internet users, saying it would help to investigate and prosecute terrorists. A 148-page report titled “The Use of the Internet for Terrorist Purposes” warns that terrorists are using social networks and other sharing sites including Facebook, Twitter, YouTube, and Dropbox, to spread “propaganda.” The report, released at a conference in Vienna convened by UNODC, concludes that “one of the major problems confronting all law enforcement agencies is the lack of an internationally agreed framework for retention of data held by ISPs.” Europe, but not the U.S. or most other nations, has enacted a mandatory data-retention law. [CNET]

US Government Programs

US – OPM IG Report Found the Agency Dropped the Ball

The Office of Personnel Management’s (OPM) Inspector General (IG) publicly released its report this week, which found the agency improperly handled how it awarded its contract to the company responsible for the first round of data breach notifications, prompting House Overisght Committee Chairman Jason Chaffetz (R-UT) to call for the resignation of OPM Chief Information Officer Donna Seymour. “I write once again to augment my concerns that Ms. Donna Seymour … is unfit to perform the significant duties for which she is responsible,” he said. “It is troubling that yet another IG report has found that Ms. Seymour failed to effectively fulfill her duties.” According to the IG, the agency’s contractual agreement with vendor CSID violated federal contracting regulations in five ways, including inadequate market research and unreliable contract file. [CNN]

US Legislation

US – Librarians and Privacy Advocates Ally to Condemn Cybersecurity Bill

The American Library Association, the world’s oldest and largest library affiliation, has joined with 18 other groups to issue a letter to the White House and Congress urging lawmakers to oppose the final version of a bill they claim will dramatically expand government surveillance while failing to tackle cyber-attacks. Politicians from both sides of the House have been pushing for stronger cybersecurity measures in the wake of the Paris attacks and the recent San Bernardino shooting. Republican House speaker Paul Ryan has been leading the charge to push through legislation and reconcile two bills, the Protecting Cyber Networks Act (PCNA) and the National Cybersecurity Protection Advancement with the Cybersecurity Information Sharing Act of 2015 (CISA), a controversial bill that passed a Senate vote in October. According to the letter’s signatories, the proposed “conference” legislation would:

  • Create a loophole that would allow the president to remove the Department of Homeland Security, a civilian agency, as the lead government entity managing information sharing.
  • Reduce privacy protections for Americans’ personal information.
  • Overexpand the term “cyber threat” to facilitate the prosecution of crimes unrelated to cybersecurity.
  • Expand already broad liability protection for information disclosure.
  • Pre-empt state, local or tribal disclosure laws on any cyber-threat information shared by or with a state, tribal or local government.
  • Eliminate a directive to ensure data integrity.

Moreover, they argue, the legislation would dramatically expand the amount of sensitive information held “by government agencies with dismal records on data security” and institute “blind, automatic transfer of personal information to intelligence agencies, including the National Security Agency, that would be authorized to use the information for non­-cybersecurity purposes.” [The Guardan]

US – Student Privacy Laws Are On the Rise

Student data privacy legislation has been on a tear recently. At the state level this year, 47 states have introduced 186 bills addressing student data privacy, and 15 states passed 28 new laws. Much of the legislation is modeled on California’s landmark Student Online Personal Information Protection Act, effective January 1. Both the U.S. Senate and the House have responded to President Barack Obama’s call for enhancing student data safeguards under the Family Educational Rights and Privacy Act with new legislative proposals. If there’s one privacy goal that commands widespread political support, it’s the protection of student data. But protection from what? [IAPP News] [Data Quality Campaign]

Workplace Privacy

WW – Questions to Consider When Monitoring Employees

There has been an increase in available technology to help organizations better monitor their employees to help protect their property and assets. Any time a business engages in employee monitoring, they also risk alienating their employees or even running afoul of state or federal law. But what kinds of questions should organizations be asking when deciding to track and monitor their workforce? This article looks into an array of monitoring techniques and lays out the types of questions privacy pros should consider when engaging in this important, but potentially controversial, activity. [Full Story]

+++

 

 

26 Nov – 06 Dec 2015

Big Data

WW – Smarter Cities Will be based on Open Data, says Expert

Imagine a world where the smart meters used to record and manage energy consumption in homes are used by health care providers to monitor outpatients, or where information recorded by traffic cameras or road sensors is used to help people plan their journeys more efficiently. Regardless of the model being adopted, the success of smarter cities will depend on the liberalisation of data that has been traditionally locked into individual bits of infrastructure. Freeing up that data, and using software to manipulate the information for wider use, will deliver benefits like smarter energy consumption, transportation, city planning and health care in cities. [Out-Law]

WW – Most Businesses Collecting Data They Never Use, Survey Finds

Most companies in the UK, France and Germany collect data they never use, according to a new survey. 22% of respondents admitted that they often collect data that they never end up using, whilst half of those surveyed said it “happens occasionally.” Just over a quarter of respondents (26%) said they always use the data they collect. A lack of internal skills, cost, the time consuming nature of data processing and a lack of “proper data processing tools” were all cited as reasons why organisations do not “fully process” the data at their disposal. In an opinion issued on data protection and the internet of things (IoT) last year, EU privacy watchdog the Article 29 Working Party warned businesses that collect personal data that is not necessary for the purposes they wish to pursue on the hope that they will find a use for it in future that they could be found in breach of EU data protection laws. [Out-Law] SEE ALSO: [Big Data to Become a Big Asset at Deutsche Bank] and [How to Keep Your Customers’ Trust While Collecting and Learning From Their Data] and [The Internet of Things: Guidance, Regulation and the Canadian Approach] and also [Nielsen study on Information Security for Small and Medium Enterprises recently commissioned by Chartered Professional Accountants of Canada]

Canada

CA – BC Commissioner Recommends FIPPA Amendments

B.C.’s FIPPA should be amended to require public bodies to have a comprehensive privacy management program (including privacy training and a FIPPA complaints process), require notification of a breach to individuals and the OIPC that would cause significant harm; the current OIPC’s complaint process and review and inquiry process should be streamlined into one process, and the penalties for offences under FIPPA should be raised to a maximum of $50,000 for both general and privacy offences. Other recommendations include requirements for public bodies to document key actions and decisions, to apply de-identification methods to public data sets, correct PI when an individual requests it, amend definitions of “data-linking,” “advice” vs “recommendations” and to enact new comprehensive health information laws. [OIPC BC – Submission to the Special Committee to Review the Freedom of Information and Protection of Privacy Act] [Press Release] [Speech]

CA – BC Supreme Court Rules OIPC Has Responsibility for Breach Remedies

The Supreme Court heard an appeal and cross-appeal of an appellant’s claim of breach of privacy by an employee of the Insurance Corporation of BC. At issue were claims for vicarious liability for breach of privacy, and for negligent breach of a statutory duty. According to the ruling, the BC FIPPA provides a comprehensive complaint and remedy procedure for public bodies that fail to protect personal information; the Commissioner has supervisory responsibility over the adequacy of a public body’s informational security arrangements, can investigate and attempt to resolve complaints and has ordering powers. [Ari v Insurance Corporation of British Columbia – Court of Appeal for British Columbia – 2015 BCCA 468 CanLII] See also: [Quebec Privacy Commission Encourages Organisation to Report Security Incidents [Press Release (French)] [Security Incident Reporting Form (French) ]

Consumer

WW – Growing up Cyber: Generation Z and Online Privacy

A new study analyses where Generation Z excel in privacy but may need a friendly nudge in the right direction, examining passwords, messaging apps, cybercrime and social media privacy, noting Generation Z became experts in adjusting their privacy settings for fear of embarrassing baby pictures popping up on their friends’ newsfeeds, and are well versed in how to hide information and what to do when something just doesn’t feel right. Case in point, 74% of teen social media users have deleted people from their networks. [Source]

E-Government

US – New Federal Council Will Hone in On Data Privacy Issues

The Office of Management and Budget is creating a new Federal Privacy Council to make policy recommendations, establish best practices and foster a community of privacy professionals within the federal government. The Privacy Council will be modeled off the Federal CIO Council — a group of agency CIOs that work together to advise on IT priorities. The new council will form in early 2016. [Source] SEE ALSO: [OPM Just Now Figured Out How Much Data It Owns: T he Atlantic] See also: [Lessons learned from the Adobe data breach]

Encryption

WW – Free Encryption Certificates Now Available to Public

The Let’s Encrypt project is now offering free TLS certificates to the general public. The project, which is run by the Internet Security Research Group, initially ran a trial for a small group of volunteers earlier this fall. The certificates are trusted by all major browsers. [The Register]

WW – Blackberry to Leave Pakistan Over Government Access Demands

BlackBerry has announced it will no longer operate in Pakistan because of local government demands for access to communications. The government wanted access to all Blackberry Enterprise Service (BES) traffic in the country, including all BES emails and messages. “We do not support ‘back doors’ granting open access to our customers’ information and have never done this anywhere in the world,” wrote BlackBerry Chief Operating Officer. [Computerworld]

WW – Dell Installs Root Certificates on Laptops, Endangers Users’ Privacy

Users are reporting that some Dell laptops sold recently come preloaded with a self-signed root digital certificate that lets attackers sniff traffic to any secure website. “If I were a black-hat hacker, I’d immediately go to the nearest big city airport and sit outside the international first class lounges and eavesdrop on everyone’s encrypted communications,” said the CEO of a major security firm. “I suggest ‘international first class,’ because if they can afford $10,000 for a ticket, they probably have something juicy on their computer worth hacking.” [PC Advisor] SEE ALSO: [Millions of Internet Things are “secured” by the same “private” keys]

EU Developments

EU – Report Argues Greater Role for DPAs in Supervising Intelligence Agencies

According to a new report by the European Union Agency for Fundamental Rights, there is no consistency in EU Member States’ oversight systems with relation to intelligence services (e.g. in almost half of all Member States DPAs have no competence over intelligence services), and there are gaps between DPAs and oversight bodies; in almost 1/3 of Member States there is no law providing for the obligation to inform and the right of access. [Surveillance by Intelligence Agencies: Fundamental Rights, Safeguards and Remedies in the European Union] [Summary] [EU wants to give national privacy regulators more clout in new U.S. data pact] SEE ALSO: [EU Member States Agree Higher Fines for Firms For Privacy Violations]

EU – Officials Pressing Tech Companies for More Access

E.U. officials want the large U.S.-based technology companies to work with them in providing more access to user data to help fight terrorism. Companies including Facebook, Twitter, Microsoft, Apple and Alphabet’s Google reportedly met with government and law-enforcement officials from the EU to talk about ways of cooperating to fight terrorism. One meeting in Paris with the French PM focused on finding ways to quickly remove propaganda from social networks, but another focus for EU officials was on finding ways to include so-called back doors into encrypted services.” [The Wall Street Journal ]

UK – Snooper’s Charter: Privacy Groups Challenge Controversial Bill

Security experts, civil liberty groups and technology organisations have pushed back against key sections of the recently revealed Investigatory Powers Bill in 46 separate written submissions to the government. Now, as the bill faces increasing scrutiny, V3 has analysed the submissions sent to the Science and Technology Committee to pick out the key arguments, finding strong opposition to approaches on encryption, bulk surveillance and hacking. [Source]

EU – EU-Based Cloud Aims to Solve Safe Harbor Data-Storage Conundrum

European cloud provider Zettabox launched its Zettabox Euro Harbor service, which is geared toward helping U.S. companies comply with post-Safe Harbor data storage. The new service aims to allow companies acting as data controllers and operating in Europe to store their clients’ data in the EU in one of 10 European data centers, offering reassurance to EU customers and regulators that U.S. law enforcement and intelligence services can’t legally access the data stored in such servers. [TechWeek]

EU – “Privacy Bridges” Proposals at Amsterdam Commissioners’ Conference

19 renowned privacy experts from the US and the EU have developed ten practical proposals to increase the transatlantic level of protection of personal data. Most proposals can be implemented within existing different legal systems and are applicable worldwide. It concerns pragmatic bridges that benefit people, companies, governments and supervisory authorities. The experts present their report at the International Privacy Conference at the end of October in Amsterdam. Their paper is now available. [Privacy Conference 2015] [EU-U.S. Privacy Bridges]

UK – ICO Announces Search for Successor

The ICO announced that it is in need of a successor to head Christopher Graham. The job listing notes, “This is a demanding and high profile role as a key UK regulator. The successful candidate will be an outstanding individual with a strong professional track record who is able to take and defend difficult decisions, to win the confidence of a wide range of stakeholders from all sectors and to act as the public face of the organization at a domestic and international level.” The office is based in Wilmslow, Cheshire, with three regional offices, and employs roughly 400. The appointment is for five years. [Press Release]

Facts & Stats

WW – Google Releases Right To Be Forgotten Statistics

Google’s most recent Transparency Report reveals that the search engine took stock of 1.2 million webpages in its right-to-be-forgotten evaluations, eradicating 42% of problematic links, the majority of which were Facebook-borne. “Google doesn’t explain in its data why it removes some links and keeps others,” the report states. “But it dropped clues signaling it takes into account whether someone is a public or private figure, whether it considers crimes to be minor, and whether embarrassing incidents took place during a person’s private or professional life.” The countries with the highest number of requests? France and Germany. [The Wall Street Journal] [Facebook tops Google’s list of domains for ‘right to be forgotten’ requests]

CA – Data Breaches Costs Canadian Companies $250 per Record

IBM partnered with the Ponemon Institute to examine the cost of data breaches in Canada. Twenty-one companies participated in the study, which found that the average per capita cost of a data breach is $250 and the average total organizational cost is $5.32-million. The industries with a per capita data breach of substantially more than $250 were financial, services, technology and energy. Public sector, education and consumer organizations had a per capita cost well below the overall mean value.” [Globe & Mail]

Finance

WW – PCI SCC Explains How to Respond to a Breach

The Payment Cards Industry Security Standards Council (PCI SSC) published a three-page guide titled Responding to a Data Breach that articulates its position on the correct response to a security incident at a merchant location where the attack exposed cardholder data. This guidance highlights some of the difficulties in developing proper response procedures, specifically the challenges in mapping out complete, thorough procedures that actually hold up under the stress of an actual incident [IAPP]

FOI

CA – Liberal Transparency Reforms Subject to ‘Review’ Next Year

Trudeau has pressed for reform of access to information since 2014, but nothing is planned for 2015. The Liberal government quickly implemented some key policies, including the removal of a gag order on government scientists, shutting down a court case about niqabs at citizenship ceremonies and ramping up Syrian refugee processing. But there has been no directive from the top about releasing more documents under freedom-of-information law, a move the U.S. president made on his first day in office. [CBC]

US – FTC goes ‘Star Chamber’ on Warrant Transparency

Nobody knows how many administrative subpoenas are issued by government agencies. Administrative subpoenas are warrants for records such as private “papers” and emails. They are issued unilaterally by government bureaucrats and are impossible to reconcile with the Fourth Amendment’s requirements of “oath and affirmation” of “probable cause” before neutral judges. Watson and The Daily Caller News Foundation have been issued multiple FOIA requests to various government agencies to get a sense of how many of these subpoenas are issued. [Source]

UK – ICO Guidance for Removing PI When Responding to Access Requests

The UK Office of the Information Commissioner published guidance on how to disclose information safely when responding to information requests. Organisations should control access to files containing personal data and use specific software to permanently redact information intended for release in an electronic format; when considering disclosure of files, organisations should consider if the file contains linked data, meta-data or comments that should be removed. [ICO UK How to Disclose Information Safely – Removing Personal Data from Information Requests and Databases]

Genetics

CA – Supreme Court Zeroes in on Penile Swabs

The clash between the privacy rights of a criminal suspect and the powers of police is once again before the Supreme Court. This time the court must decide whether police are permitted to force an individual suspected of committing a sexual assault to provide a genital swab for the purposes of obtaining DNA evidence. The trial judge found that the search (leading to a match) was unreasonable but admitted the evidence under s. 24(2) of the Charter. A majority of the Alberta Court of Appeal found that a warrant should have been obtained first, yet it also upheld the conviction under s. 24(2). The other judge on the panel found that this was a legitimate search incident to arrest under the common law powers of police and a warrant was not necessary. Whether a genital swab without a warrant is appropriate should be governed by the same test the Supreme Court set out in R. v. Golden for strip searches according to the Alberta Crown and the Ontario Ministry of the Attorney General, which is an intervener. A genital swab is no different than a test for gunshot residue on a suspect and it is not an intrusion on bodily integrity. [Law Times]

Health / Medical

US – ONC Issues Guidance on PHRs

A report prepared for the Office of the National Coordinator for Health IT provides practical and useful guidance to Health Information Exchange (“HIE”) organizations who are interested in designing and implementing a Personal Health Record (“PHR”) as part of their portfolio of services. [Final Report: HIEs and Personal Health Records Community of Practice: Key Considerations for HIE-based Personal Health Records]

US – White House Issues Medical Guidelines and Funding Opportunities

The White House released the Precision Medicine Initiative (PMI) Privacy and Trust Principles, aimed at building patient trust and protecting patient privacy for precision medicine-related activities last month, as the National Institutes of Health (NIH) announced the availability of $72 million in PMI-related funding opportunities for fiscal year 2016. A Security Policy Framework that will help ensure that security is built into the foundation of the PMI is in development. [Hogan and Lovells]

US – HIPAA Questions Portal a Hit

Some healthcare providers are pleased with the U.S. Department of Health and Human Services’ nascent HIPAA Questions Portal as use of the tool grows. The system allows those in the field to pose questions to HIPAA experts, thus avoiding breaches of protocol. Meanwhile, privacy concerns regarding the app dubbed “the Instagram for doctors” abound. [iMedicalApps]

Horror Stories

US – Toymaker Breach Affects Six Million Children, 4 Million Adults

Toymaker VTech announced the attack on its Learning Lodge app store and Kid Connect messaging system databases exposed the data of 6.4 million children and 4.9 million adults. The largest percent of those affected were in the U.S., with France, the UK, Germany and Canada all in the top five. The stolen data on children included name, gender and birth date; and from adults, name, mailing address, email address, password retrieval questions, IP address and passwords. [The Register] [Washington Post] [Bloomberg] [The Wall Street Journal: VTech Begins Breach Clean-Up] [Reuters] See also: [VTech Hacker Explains Why He Hacked the Toy Company ]

Identity Issues

US – Concerns Over ID Protection Overlook Dangers of Inference

The IAPP VP of Research and Education discusses the debate surrounding de-identification. The discussion thus far has generally focused on protecting identity, but that’s distracted policymakers from a central privacy problem in this age of big data, “the ability of organizations to draw highly sensitive conclusions about you without exposing your identity, by mining information about ‘people like you,’” he writes. As such, the main privacy issue isn’t identity, but inference, because even without identification, “machine-made inferences pose risks to societal values of privacy, fairness and equality.” [Yale Journal of Law & Technology] SEE ALSO: [How Dynamic Data De-Identification Is a Bridge to the Future]

CA – Yukon IPC: Health Numbers, Cards Unsuited for Secondary Purposes, Uses

The Yukon Info & Privacy Commissioner issued comments on the Dep’t of Health and Human Services’ proposed development of regulations under the Health Information Privacy and Management Act  The proposed regulations would allow other uses of health cards for government and non-government programs and services; this presents significant risks, public bodies do not have privacy management programs in place and non-governmental organizations that may use the cards may not be subject to any privacy laws. [Health Information Privacy and Management Act Public Consultation – IPC Comments]

US – Woman’s Ex Used ID-Theft Service to Track Her

An Arizona woman says her ex-husband was able to track her financial movements using an identity-theft protection company after he used her Social Security number to open a bogus account in her name at LifeLock, allowing him to receive alerts and emails when the woman applied for credit cards, leased a car and opened a bank account. “He knew everything I did,” she said. [USA Today]

Law Enforcement

ON – Mental Health, Carding Records No Longer Disclosed by Police

A new Ontario law mandates that police first disclose the results of a record check to the person who is the subject of those records, then that person would have to provide written consent for police to disclose the information to the third party that requested the check. The Liberal government introduced the act after stories emerged of people being stopped at the U.S. border after records of suicide attempts were disclosed and people being prevented from volunteering because they witnessed a crime. This legislation does not cover information sharing between police agencies, so it may not prevent mental health records being used to turn people away at the border. [City News]

CA – RCMP Unveils Plan to Tackle Cybercrime

The RCMP published its Cybercrime Strategy setting out objectives, strategic enablers and 15 actions items to be implemented over the next 5 years. The Mounties’ strategy is designed to tackle technology-based crime that is increasingly moving beyond their ability to investigate because of advanced encryption, the global reach of crime and enhanced privacy protections. Missing in the RCMP report — and the broader debate about privacy versus public safety in Canada — is comprehensive data from police detailing the scope of the problem. [Source] See also: [‘We can’t protect public from cyber crimes’: RCMP boss] [RCMP need warrantless access to online subscriber info: Paulson] [The RCMP wants more online surveillance power. We should say no] [Once again, the RCMP calls for warrantless access to your online info. Once again, the RCMP is wrong]

US – LA Considers Notifying Potential Johns They’re Being Watched

L.A. City Council wants to tackle prostitution by sending “Dear John” letters to the homes of any drivers who linger in the area by taking note of their license plates. Critics call the move “stigmatic” for neighbors, while arguing that some cars, like garbage trucks, aren’t necessarily in the neighborhood for company. Displeasure with being surveilled seems to be the biggest concern, however. “Registered owners will know the city is watching your every move and notifying you of it,” said a commenter at a public hearing on the motion. “If Hitler were here, he would applaud you today,” adding in no uncertain terms that he felt the proposal to be “fascism on steroids.” [fusion.net]

Location

EU – CNIL Identifies When Employees Work Vehicles Can Be Tracked

France’s Commission nationale de l’informatique et des libertés (“CNIL”) published guidelines on geolocation tracking in vehicles. Geolocation devices can be installed on employee vehicles to monitor and charge for a transport service (such as ambulance in the context of billing the health insurance company), for security of employees (e.g., a commercial truck carrying merchandise of great value), and to improve the allocation of resources (e.g., identify the ambulance closest to an accident); geolocation devices cannot be installed to monitor compliance with speed limits. [CNIL Guidelines for the Use of Geolocation Tracking of Employees (French) ]

Online Privacy

WW – Cross-Device Tracking Raises Consumer Awareness Concerns

At a workshop on cross-device tracking, the FTC Chairwoman described the uses of probabilistic models, which make inferences on information over which the user has no control such as shared IP addresses or location information when 2 devices are consistently used together in the same household. This type of tracking raises transparency issues (it employs persistent identifiers), and there are almost no tools that tell consumers which devices are linked together or to them or that allow them to opt-out of the linking of the identifiers. [FTC – Remarks of FTC Chairwoman Edith Ramirez at FTC Workshop on Cross-Device Tracking] See also: [FTC Guidance is Needed for Cross-Device Tracking – CDT] See also: [TD Visa customers’ browsing activities open to ‘surveillance’ by bank; Bank denies collecting general information about what customers do online]

Other Jurisdictions

AU – Australia Introduces New Counter Terrorism Legislation

Australia’s Attorney General introduced new counter-terrorism legislation; the bill includes measures that will allow a control order to be imposed on persons 14 years or older, simplify monitoring of individuals subject to control orders through enhanced search, telecommunications interception and surveillance device powers and introduce a new offence of advocating genocide. [Attorney-General] See also: [AU – Government Unveils Data Breach Notification Bill, Seeks Input]

Privacy (US)

US – EFF Wants FTC to Investigate Google Apps for Ed

The EFF says in a complaint to the FTC that Google’s Apps for Education violates the Student Privacy Pledge the company signed in January, which indicates it will only collect, store or use student data for educational purposes. The EFF found that the company was collecting kids’ personal information through the “Sync” feature in the Chrome browser that “is enabled by default on Chromebooks sold to schools” and says Google is using that information for uses beyond education. Google has agreed to change the settings for computers sold to schools but is “confident that these tools comply with both the law and our promises, including the Student Privacy Pledge.” [The Wall Street Journal]

US – Task Force Recommends Register Drones at Point of Operation, Not Sale

The Federal Aviation Administration’s Unmanned Aircraft Systems (“UAS”) Registration Task Force (“RTF”) Aviation Rulemaking Committee (“ARC”) issued its final recommendation in relation to drone/UAS registration requirements. All drones under 55 pounds must be registered prior to operation in national airspace; a single registration number will cover all drones a registrant owns, who must register on a free web-based system. [Task Force Recommendations Final Report]

US – Lorrie Faith Cranor Named FTC’s New Chief Technologist

Carnegie Mellon’s Lorrie Faith Cranor, will succeed Ashkan Soltani as the FTC’s Chief Technologist, the agency said. “We are delighted to welcome Lorrie to our team, where she will play a key role in helping guide the many areas of FTC work involving new technologies and platforms,” said the FTC Chairwoman. Not everyone reacted positively: “The revolving door of privacy advocates masquerading as Chief Technologists continues at the FTC,” said the Interactive Advertising Bureau. “It’s like they are funding a one semester internship for anyone with advocate bona fides.” FTC Press Release

Privacy Enhancing Technologies (PETs)

US – New PIA Templates, Case Study, Announced

Last year, AvePoint announced a free and downloadable privacy impact assessment automation tool, APIA. Now, with more than 2,500 privacy professionals using APIA in countries spanning the globe, a case study has been published. Also, two new questionnaire templates are now available to help users simplify PIAs and carry out surveys according to recommended best practices: third-party vendor assessment and cloud readiness. [IAPP Resource] SEE also: [Hong Kong DPA Issues PIA Guidance]

Security

WW – Study: Employees Account for 80% of Breaches

Experian’s annual Data Breach Industry Forecast found that 80% of breaches are catalyzed by employees—careless or otherwise. “Unfortunately people doing stupid stuff is the largest cause—it’s as simple as putting a non-production server into production, not turning on a malware or firewall protection or as simple as the lost (unencrypted) laptop or USB key.” [BankInfoSecurity] SEE also: [Fung: Tech Teams Need Ethics Training] [Accessing personal information common practice at RNC, Newfoundland privacy commissioner told]

Surveillance

US – DoJ Testifies on Policy Governing Use of Cell-Site Simulators

The Principal Deputy Assistant Attorney General testified before the U.S. House of Representatives’ Subcommittee on Information Technology Committee on Oversight and Government Reform at a hearing for Examining Law Enforcement Use of Cell Phone Tracking Devices. [Testimony before the House Committee on Oversight and Government Reform – Department of Justice] See also: [UK GCHQ accused of ‘persistent’ illegal hacking at security tribunal] AND: [U.K. Spies Turn Your Cell Phone Into a Bug in Tech War on Terror]

CA – Vancouver Police Deny FOI Request for Cellphone Tapping Info

In September 11, 2015, the Information and Privacy Unit of the Vancouver Police Department (VPD) replied to a July 23 FOI request, explaining that it was unable to provide access to the requested information. In accordance with section 15(1)(C) of the B.C. FIPPA, the VPD refused to release the records requested on the grounds that any disclosure would be harmful to law enforcement. And furthermore, in accordance with section 8(2) of the act, the VPD refused to confirm or deny that any such records existed. The VPD’s response reminded many in the press that the Harris Corporation has, in the past, required U.S. law enforcement agencies buying its brand name StingRay technology to sign non-disclosure agreements (NDAs), requiring questions from the press and the public to be answered as obliquely as the VPD answered the Pivot FOI request. [Source]

Telecom / TV

US – National Security Letter Content Revealed

A US District court judge has allowed a former ISP owner to disclose the content of a National Security Letter he received in 2004. NSLs come with gag orders, forbidding recipients from disclosing their contents or even revealing that they have been received. The document reveals that the FBI sought the target’s entire web browsing history, the IP addresses of everyone the target corresponded with, and a record of all the target’s online purchases. [v3.co.uk] [ArsTechnica] [Yale.edu] [Newly published FBI request shines light on National Security Letters]

US Legislation

US – Sen. Announces Proposed Surveillance Bill

As the government said goodbye to the NSA bulk phone record surveillance program, Senator Tom Cotton (R-AR) introduced the Liberty Through Strength Act II, a bill that aims to “let the government keep the phone records it has already collected for five years.” According to critics, the bill is “Big Brother on steroids.” FreedomWorks’ CEO took umbrage with Cotton and others who “are willing to sacrifice our liberties on the altar of security” and “treating Orwell’s 1984 as a how-to guide instead of a warning.” [SC Magazine] SEE ALSO: [Chat, text, email – Congress moves to stop government snooping]

Workplace Privacy

WW – New Employee Monitoring Software Opens Up Range of Legal Issues

Canadian employers looking to track workplace satisfaction and productivity are taking inspiration from foreign companies that use personal data trackers and data analysis to improve employee performance. However, employers looking to gain the benefit from such programs should prepare for workers raising challenges related to this new practice. Incidental breaches of privacy abound, as do concerns whether the employer’s use of data unfairly prejudices certain employees. Finally, data associated with an individual employee may become disclosed in the course of wrongful dismissal claims. Before using data to track employee productivity, employers would be wise to develop human resources policies in anticipation of challenges raised by workers, as well as to make workers aware of how data will be used. At this early stage, employers may even want to “decouple” data so that it cannot be linked with an individual employee. [Lawyers Weekly] See also: [The Chilling Effect of Privacy Invasion]

CA – Federal, BC and Alberta Commissioner Issue BYOD Guidance

The underlying message contained in the Guidelines appears to be “proceed with caution, if at all”. Implementing a BYOD arrangement for employees should not be taken lightly and the Guidelines raise a number of issues which must be carefully considered prior to moving ahead with such an arrangement. The complete Guidelines can be found here. The Guidelines are summarized at [Lexology] [Is a Bring Your Own Device (BYOD) Program the Right Choice for Your Organization] Se ealso: [IAPP BYOD Resources]

 

+++